CVE-2025-51661 is a path traversal vulnerability identified in FileCodeBox version 2.2 and earlier. The root cause lies in the SystemFileStorage.save_file method within core/storage.py, which constructs the save_path for uploaded files using filenames directly derived from user input without any sanitization or validation. This flaw allows remote attackers to craft POST requests to the /share/file/upload endpoint containing malicious directory traversal sequences (e.g., ../) in the filename parameter. Because the endpoint does not require any form of authentication or authorization, attackers can exploit this vulnerability to write arbitrary files anywhere on the server's filesystem where the application process has write permissions. This can lead to overwriting critical system or application files, uploading web shells, or planting malware, potentially resulting in full system compromise. The vulnerability specifically affects deployments configured to use local filesystem storage rather than cloud or other storage backends. Although no public exploits have been reported yet, the vulnerability's characteristics—lack of authentication, direct file write capability, and path traversal—make it a high-risk issue. The absence of a CVSS score indicates the need for a manual severity assessment. The vulnerability was reserved in June 2025 and published in November 2025, indicating recent discovery. No patches or mitigations have been officially released at the time of this report, emphasizing the urgency for affected users to implement temporary controls and monitor for updates.

For European organizations, this vulnerability poses a significant risk, especially for those using FileCodeBox in environments where local filesystem storage is enabled. Successful exploitation can lead to unauthorized file writes outside the intended directory, potentially allowing attackers to overwrite configuration files, deploy backdoors, or disrupt application functionality. This can compromise confidentiality by exposing sensitive data, integrity by altering or injecting malicious files, and availability by damaging critical files or causing application crashes. The lack of authentication requirement broadens the attack surface, enabling remote attackers to exploit the vulnerability without credentials. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that rely on FileCodeBox for code or file sharing are particularly vulnerable. The ability to write arbitrary files remotely can facilitate lateral movement, privilege escalation, or persistent access within networks. Additionally, the vulnerability could be leveraged as an initial entry vector in targeted attacks or ransomware campaigns. The absence of known exploits currently provides a window for proactive mitigation, but the risk of future exploitation remains high.

1. Immediately restrict access to the /share/file/upload endpoint by implementing network-level controls such as IP whitelisting or VPN access to limit exposure. 2. Apply strict input validation and sanitization on all filename parameters to disallow directory traversal sequences (e.g., ../) and enforce whitelist-based filename patterns. 3. Configure the application to use secure storage backends that do not rely on local filesystem writes, such as cloud storage services with built-in access controls. 4. Implement file system permissions to restrict the application’s write access strictly to intended directories, preventing writes to sensitive system paths. 5. Monitor application logs and network traffic for suspicious POST requests containing traversal patterns or unusual file upload activity. 6. Develop and deploy patches or updates from the vendor as soon as they become available. 7. Conduct regular security assessments and penetration tests focusing on file upload functionalities. 8. Educate developers and administrators about secure coding practices related to file handling and input validation. 9. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block path traversal attempts targeting the upload endpoint.