CVE-2025-61506
Published: 03 February 2026
Description
An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CWE-434 unrestricted file uploads by validating file types, sizes, and content at the /upload endpoint before acceptance.
Prevents unauthenticated remote attackers from accessing the /upload endpoint by enforcing logical access controls requiring identification and authorization.
Provides protections for the publicly accessible /upload endpoint to limit unauthorized exploitation of unrestricted file upload capabilities.
Security SummaryAI
CVE-2025-61506, published on 2026-02-03, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting MediaCrush through version 1.0.1. The issue, tied to CWE-434 (Unrestricted Upload of File with Dangerous Type), enables remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint.
Any remote attacker with network access can exploit this vulnerability without authentication, privileges, or user interaction due to its low attack complexity. Exploitation allows uploading files unrestricted by type or size, potentially granting high-impact access to confidentiality, integrity, and availability, such as executing malicious code if web servers process uploaded files.
Advisories reference a GitHub Gist at https://gist.github.com/pescada-dev/a046d36e8026bbaf1ee591c6dad0d7e6 for further details on the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of a public-facing web application (/upload endpoint) for unauthenticated arbitrary file upload (T1190), facilitating deployment and execution of web shells (T1100).