CVE-2025-21622

Name of the Vulnerable Software and Affected Versions ClipBucket V5 versions prior to 5.5.1 - 237

Description The issue arises during the user avatar upload workflow, where a user can upload and change their avatar at any time. During deletion, ClipBucket checks if the avatar url is a filepath within the avatars subdirectory. If the URL path exists within the avatars directory, ClipBucket will delete it. However, there is no check for path traversal sequences in the provided user input, stored in the database as avatar url. This allows the final $file variable to be tainted with path traversal sequences, leading to file deletion outside of the intended scope of the avatars folder.

Recommendations For ClipBucket V5 versions prior to 5.5.1 - 237, update to version 5.5.1 - 237 to resolve the issue. As a temporary workaround, consider restricting access to the avatar upload functionality to minimize the risk of exploitation. Additionally, avoid using user-provided input for file deletion operations until the issue is resolved.