CVE-2025-66449 – CVE-2025-66449 is an arbitrary file write vulne... (How to Fix)

Q: What is the severity of CVE-2025-66449?

CVE-2025-66449 has a CVSS score of 8.8 (HIGH). CVE-2025-66449 is an arbitrary file write vulnerability in ConvertX, a self-hosted online file converter. Authenticated users can upload files with malicious names to overwrite system binaries, leading to remote code execution. This affects all ConvertX instances running versions prior to 0.16.0.

📋 TL;DR

CVE-2025-66449 is an arbitrary file write vulnerability in ConvertX, a self-hosted online file converter. Authenticated users can upload files with malicious names to overwrite system binaries, leading to remote code execution. This affects all ConvertX instances running versions prior to 0.16.0.

💻 Affected Systems

Products:

ConvertX

Versions: All versions prior to 0.16.0

Operating Systems: All operating systems running ConvertX

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the /upload endpoint. The vulnerability exists in the file name handling logic.

📦 What is this software?

Convertx by C4illin

View all CVEs affecting Convertx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Attackers overwrite critical binaries to execute arbitrary code, potentially gaining persistent access to the server.

🟢

If Mitigated

Limited impact if proper authentication controls and file system permissions restrict write access to sensitive directories.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is in publicly available source code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.16.0

Vendor Advisory: https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r

Restart Required: Yes

Instructions:

1. Stop the ConvertX service. 2. Update to version 0.16.0 using your package manager or by downloading from GitHub. 3. Restart the ConvertX service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict file upload permissions

linux

Configure file system permissions to prevent the ConvertX process from writing to sensitive directories.

chmod -R 755 /path/to/convertx/uploads
chown -R www-data:www-data /path/to/convertx/uploads

Implement WAF rules

all

Add web application firewall rules to block upload requests with suspicious file names containing path traversal sequences.

🧯 If You Can't Patch

Disable the upload functionality entirely if not required.
Implement strict authentication controls and monitor for suspicious upload activity.

🔍 How to Verify

Check if Vulnerable:

Check if the ConvertX version is below 0.16.0 by examining the application interface or configuration files.

Check Version:

Check the package.json file or application logs for version information.

Verify Fix Applied:

After updating, verify the version is 0.16.0 or higher and test that file uploads with malicious names (e.g., '../../bin/ls') are rejected.

📡 Detection & Monitoring

Log Indicators:

Multiple failed upload attempts with suspicious file names containing path traversal sequences (e.g., '../', '..\')
Unauthorized file modifications in system directories

Network Indicators:

HTTP POST requests to /upload endpoint with unusual file names
Increased upload traffic from single IP addresses

SIEM Query:

source="convertx.log" AND (url_path="/upload" AND file_name="*../*")

📊 Metadata

CVE ID: CVE-2025-66449

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 0.11% exploit probability (30th percentile)

Published: December 16, 2025

Last Updated: January 7, 2026

🔗 References

https://github.com/C4illin/ConvertX/blob/4ae2aab66ace7cdcc14c5a16ecaaf2372b9ccbdf/src/pages/upload.tsx#L27-L30 Product
https://github.com/C4illin/ConvertX/commit/550f472451755d095cf5802bc91f403e85b7129e Patch
https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r Exploit,Vendor Advisory
https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66449, you might also want to check these: