CVE-2025-66480

Name of the Vulnerable Software and Affected Versions Wildfire IM versions prior to 1.4.3

Description Wildfire IM’s im-server component contains a critical issue in the file upload functionality within com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an API endpoint ''/fs'' that handles multipart file uploads but does not properly sanitize the filename provided by the user. The writeFileUploadData method directly concatenates the configured storage directory with the filename from the upload request without removing directory traversal sequences. This allows an attacker to write arbitrary files to any location on the server's filesystem where the application process has write permissions, potentially leading to Remote Code Execution (RCE).

Recommendations Update Wildfire IM to version 1.4.3 or later.