CVE-2025-66480

CVE-2025-66480 is a critical directory traversal vulnerability in the file upload functionality of Wildfire IM's im-server component, specifically in the com.xiaoleilu.loServer.action.UploadFileAction class. Wildfire IM is an instant messaging and real-time audio/video solution. Prior to version 1.4.3, the /fs endpoint processes multipart file uploads but fails to sanitize user-supplied filenames, allowing directory traversal sequences such as ../../ to be directly concatenated with the configured storage directory in the writeFileUploadData method. This enables arbitrary file writes to locations on the server's filesystem where the application process has write permissions. The vulnerability is rated 9.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

Any unauthenticated remote attacker can exploit this vulnerability by sending a crafted multipart file upload request to the /fs endpoint with a malicious filename containing traversal sequences. Successful exploitation allows the attacker to write arbitrary files, such as executable scripts, binaries, or modifications to critical files like authorized_keys or cron jobs, leading to full remote code execution (RCE) and complete server compromise.

The vulnerability is addressed in Wildfire IM im-server version 1.4.3, as detailed in the project's GitHub security advisory (GHSA-74hq-jhx2-fq6c), release notes, and the fixing commit (2f9c4e028c01c64913cab32e7248bcca183a5230). Security practitioners should upgrade to 1.4.3 or later and review access to the /fs endpoint, ensuring it is not exposed publicly while implementing filename sanitization and directory restrictions as interim measures.