CVE-2025-63365 identifies a directory traversal vulnerability in SoftSea EPUB File Reader version 1.0.0.0. The flaw exists in the EPUB archive extraction functionality, where the software improperly sanitizes file paths during the extraction process. This allows an attacker to craft a malicious EPUB file containing specially named entries with directory traversal sequences (e.g., '../') that cause files to be extracted outside the intended directory. Such unauthorized file writes or reads can lead to disclosure or modification of sensitive files on the victim's system. The vulnerability has a CVSS v3.1 score of 7.1, indicating high severity, with an attack vector classified as local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope remains unchanged (S:U), and the impact is high on confidentiality and integrity but none on availability. Although no public exploits are known, the vulnerability poses a significant risk if exploited, especially in environments where users open EPUB files from untrusted sources. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). No patches or fixes are currently available, and the vulnerability was published on December 1, 2025.

For European organizations, this vulnerability can lead to unauthorized access and modification of sensitive files if malicious EPUB files are opened. Sectors such as publishing, education, legal, and government agencies that frequently handle EPUB documents are at higher risk. Confidentiality breaches could expose intellectual property or personal data, potentially violating GDPR regulations. Integrity impacts may result in tampering with critical documents or configuration files, undermining trust and operational reliability. Since exploitation requires local access and user interaction, the threat is more pronounced in environments with less stringent endpoint controls or where users frequently open files from external sources. The absence of availability impact reduces the risk of service disruption but does not diminish the severity of data compromise. The lack of known exploits currently limits immediate widespread risk but does not preclude targeted attacks.

European organizations should implement strict controls on the sources of EPUB files, avoiding opening files from untrusted or unknown origins. Employ endpoint security solutions capable of detecting and blocking suspicious file extraction behaviors. Use application whitelisting to restrict execution of unauthorized software. Monitor file system changes in directories commonly used for EPUB extraction to detect anomalous activity. Since no patch is currently available, consider isolating or sandboxing the SoftSea EPUB Reader application to limit filesystem access. Educate users about the risks of opening EPUB files from unverified sources and enforce policies for safe document handling. Regularly review and update security policies to include emerging threats related to document processing software. Once patches or updates are released by the vendor, prioritize their deployment.