CVE-2025-51661 is a path traversal vulnerability identified in FileCodeBox versions 2.2 and earlier. The root cause lies in the SystemFileStorage.save_file method within core/storage.py, which constructs the file save path using filenames directly from user input without any validation or sanitization. This flaw allows remote attackers to craft POST requests containing malicious directory traversal sequences (e.g., '../') targeting the /share/file/ upload endpoint. Because this endpoint does not require any form of authorization, attackers can exploit it to write arbitrary files anywhere on the local filesystem accessible by the application process. This can lead to overwriting critical system or application files, potentially exposing sensitive data or enabling further compromise. The vulnerability is classified under CWE-24 (Improper Restriction of File Name in a File Path) and carries a CVSS v3.1 base score of 7.5, indicating high severity. The attack vector is network-based with no privileges or user interaction required, making exploitation straightforward once the system is exposed. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (November 19, 2025).

For European organizations, this vulnerability poses a significant risk to confidentiality and system integrity. Since the vulnerability allows arbitrary file writes without authentication, attackers can overwrite configuration files, inject malicious scripts, or replace legitimate files with malicious ones, potentially leading to data breaches or system compromise. Organizations using FileCodeBox with local filesystem storage are particularly vulnerable. Critical sectors such as finance, healthcare, government, and industrial control systems could face operational disruptions or data leaks if exploited. The lack of authentication and ease of exploitation increase the likelihood of attacks, especially in environments where the application is exposed to the internet. Additionally, the ability to write files arbitrarily could be leveraged to establish persistent footholds or pivot within networks, escalating the threat beyond initial exploitation.

To mitigate this vulnerability, organizations should immediately implement strict input validation and sanitization on all filenames received via the /share/file/ upload endpoint. Specifically, reject or canonicalize any path traversal sequences such as '../' or absolute paths. Employ allowlists for acceptable filenames and enforce saving files strictly within designated directories using secure path resolution methods. If possible, disable local filesystem storage in favor of safer storage backends. Restrict network access to the upload endpoint using firewalls or access control lists to limit exposure. Monitor logs for suspicious upload activity and implement anomaly detection to identify exploitation attempts. Apply principle of least privilege to the application process to minimize filesystem access rights. Stay alert for official patches or updates from FileCodeBox developers and apply them promptly once available.