Cyber Posture

CVE-2025-67728

Critical

Published: 12 December 2025

Published
12 December 2025
Modified
22 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 63.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then…

more

concatenated directly into a shell command, which can be used for uploading files to arbitrary directories via path traversal, or executing system commands for Remote Code Execution (RCE). This issue is fixed in version 1.3.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of uploaded filenames to block malicious payloads that enable command injection and path traversal.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation by patching to Fireshare version 1.3.0, which fixes the command injection vulnerability.

SI-9 Information Input Restrictions good match
prevent

Restricts filename inputs to permitted types and formats, preventing inclusion of shell metacharacters that lead to RCE.

Security SummaryAI

CVE-2025-67728 is a critical command injection vulnerability (CWE-77) in Fireshare, a self-hosted media and link sharing application. It affects versions 1.2.30 and below, where a malicious filename provided during video file uploads is directly concatenated into a shell command without proper sanitization or validation. Published on 2025-12-12, the flaw enables path traversal or remote code execution (RCE) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by an authenticated user or, if the Public Uploads setting is enabled, by an unauthenticated remote attacker over the network with low complexity and no user interaction required. By crafting a specially formatted filename in a video upload, attackers can write files to arbitrary directories via path traversal or inject commands for RCE, potentially leading to full system compromise including high confidentiality, integrity, and availability impacts.

Fireshare version 1.3.0 addresses the issue with a fix detailed in the commit at https://github.com/ShaneIsrael/fireshare/commit/157386c85f6683f89192dae52115069b435b6d34. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-c4f5-g622-q72m. Security practitioners should upgrade to 1.3.0 and review Public Uploads configurations.

Details

CWE(s)
CWE-77

Affected Products

shaneisrael
fireshare
≤ 1.3.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

The vulnerability is a command injection (CWE-77) in a public-facing web application (Fireshare) exploitable remotely without authentication if public uploads are enabled, enabling RCE via shell command execution. This directly maps to T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References