Cyber Posture

CVE-2025-66449

HighPublic PoC

Published: 16 December 2025

Published
16 December 2025
Modified
07 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

ConvertXis a self-hosted online file converter. In versions prior to 0.16.0, the endpoint `/upload` allows an authenticated user to write arbitrary files on the system, overwriting binaries and allowing code execution. The upload function takes `file.name` directly from user supplied…

more

data without doing any sanitization on the name thus allowing for arbitrary file write. This can be used to overwrite system binaries with ones provided from an attacker allowing full code execution. Version 0.16.0 contains a patch for the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of user-supplied file names at the upload endpoint to prevent arbitrary file writes and overwriting of system binaries.

SI-2 Flaw Remediation good match
prevent

Ensures timely flaw remediation by applying the patch in version 0.16.0 that sanitizes file names and blocks the vulnerability.

AC-6 Least Privilege partial match
prevent

Limits application process privileges to prevent overwriting critical system binaries even with unsanitized file names.

Security SummaryAI

CVE-2025-66449 is a vulnerability in ConvertX, a self-hosted online file converter, affecting versions prior to 0.16.0. The issue lies in the `/upload` endpoint, where the upload function directly uses the user-supplied `file.name` without sanitization. This allows arbitrary file writes on the system, including overwriting binaries, which can lead to code execution.

An authenticated user can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables the attacker to overwrite system binaries with malicious files provided in the upload, achieving full code execution on the server.

The GitHub security advisory GHSA-cpww-gwgc-p72r documents the vulnerability, and version 0.16.0 includes a patch that addresses the lack of file name sanitization. The fixing commit is at https://github.com/C4illin/ConvertX/commit/550f472451755d095cf5802bc91f403e85b7129e, while the vulnerable code appears in src/pages/upload.tsx lines 27-30 at https://github.com/C4illin/ConvertX/blob/4ae2aab66ace7cdcc14c5a16ecaaf2372b9ccbdf/src/pages/upload.tsx#L27-L30.

Details

CWE(s)
CWE-22CWE-73CWE-434

Affected Products

c4illin
convertx
≤ 0.16.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1554 Compromise Host Software Binary Persistence
Adversaries may modify host software binaries to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

The vulnerability allows exploitation of a public-facing web application (T1190) via unauthenticated file upload endpoint leading to arbitrary file writes, enabling compromise of host software binaries by overwriting system binaries with malicious code (T1554).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References