CVE-2025-67720

Name of the Vulnerable Software and Affected Versions Pyrofork versions 2.3.68 and earlier

Description Pyrofork is an asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages before using them in file path construction within the download media method. When downloading media without a custom filename, the method uses the file name attribute from the media object, which originates from Telegram’s DocumentAttributeFilename and is controlled by the message sender. This can lead to a path traversal issue.

Recommendations Update to version 2.3.69 or later.