CVE-2025-50202 is a high-severity path traversal vulnerability affecting Lychee, a free and open-source photo management tool widely used for organizing and sharing images. The vulnerability exists in versions 6.6.6 through 6.6.9 inclusive, specifically within the SecurePathController.php component. An attacker can exploit improper validation of file path inputs to traverse directories beyond the intended restricted directory scope. This allows unauthorized access to sensitive local files on the server hosting Lychee. Exploitable files include environment variable files, nginx logs, other users' uploaded images, and configuration secrets. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is primarily on confidentiality, as attackers can read sensitive files, potentially exposing secrets such as credentials or configuration details. Integrity and availability are not directly affected. The issue was patched in Lychee version 6.6.10, which properly restricts pathname inputs to prevent traversal attacks. No known exploits have been observed in the wild yet, but the vulnerability's ease of exploitation and high impact on confidentiality make it a critical risk for affected deployments. Organizations running vulnerable Lychee versions should prioritize upgrading to 6.6.10 or later to mitigate this risk.

For European organizations using Lychee versions 6.6.6 to 6.6.9, this vulnerability poses a significant risk to the confidentiality of sensitive data stored on their photo management servers. Exposure of environment variables and configuration secrets could lead to further compromise, including credential theft and lateral movement within networks. Leakage of nginx logs and other users' images could result in privacy violations and reputational damage, especially under stringent European data protection regulations such as GDPR. Since Lychee is often deployed in small to medium enterprises, educational institutions, and creative agencies, the impact could extend to sectors handling personal or sensitive imagery. The vulnerability's remote exploitability without authentication increases the attack surface, making internet-facing Lychee instances particularly vulnerable. Although no active exploitation is reported, the potential for automated scanning and exploitation exists, which could lead to widespread data leakage incidents if unpatched.

1. Immediate upgrade of all Lychee installations to version 6.6.10 or later, which contains the official patch for this vulnerability. 2. For environments where immediate upgrade is not feasible, implement web application firewall (WAF) rules to detect and block suspicious path traversal patterns in HTTP requests targeting SecurePathController.php endpoints. 3. Restrict network exposure of Lychee servers by limiting access to trusted internal networks or VPNs, reducing the risk of remote exploitation. 4. Conduct a thorough audit of server logs and file access patterns to detect any signs of exploitation attempts or unauthorized file reads. 5. Review and rotate any secrets or credentials that may have been exposed due to this vulnerability. 6. Employ file system permissions and containerization to limit the accessible file scope of the Lychee application process, minimizing potential data exposure even if traversal occurs. 7. Educate system administrators on the importance of timely patching and monitoring for path traversal indicators.