CVE-2025-66480 is a critical security vulnerability affecting the wildfirechat im-server component prior to version 1.4.3. The flaw exists in the file upload functionality, specifically within the com.xiaoleilu.loServer.action.UploadFileAction class. The server exposes an endpoint (/fs) that accepts multipart file uploads but fails to properly sanitize the filename parameter. The vulnerable method, writeFileUploadData, concatenates the configured storage directory path with the user-supplied filename without removing directory traversal sequences such as "../". This improper limitation of a pathname to a restricted directory (CWE-22) allows attackers to traverse directories and write files outside the intended storage area. By exploiting this, an attacker can upload arbitrary files to any location on the server where the application process has write permissions. This includes critical system directories or user home directories, enabling overwriting of configuration files like authorized_keys or cron jobs. Such actions can lead to remote code execution (RCE), complete server compromise, and persistent backdoors. The vulnerability is rated critical with a CVSS 3.1 base score of 9.8, reflecting its high impact on confidentiality, integrity, and availability, ease of exploitation (network vector, no privileges or user interaction needed), and broad scope. Although no public exploits are currently known, the severity and simplicity of exploitation make this a high-priority issue. The vendor fixed the vulnerability in version 1.4.3 by properly sanitizing filenames and restricting file write locations.

For European organizations, exploitation of CVE-2025-66480 could result in full compromise of wildfirechat im-server instances, leading to unauthorized access to sensitive communications, data exfiltration, and lateral movement within networks. Given wildfirechat's role in instant messaging and real-time audio/video communications, attackers could intercept or manipulate business-critical conversations, impacting confidentiality and operational integrity. The ability to execute arbitrary code remotely can also facilitate deployment of ransomware, espionage tools, or persistent malware. This poses significant risks to sectors reliant on secure communications, such as government agencies, financial institutions, healthcare providers, and critical infrastructure operators across Europe. The disruption or compromise of these services could have cascading effects on business continuity and national security. Additionally, the vulnerability's network-exploitable nature means attackers can target exposed servers directly without authentication, increasing the attack surface. Organizations failing to patch promptly may face regulatory penalties under GDPR due to inadequate protection of personal data processed via the platform.

European organizations using wildfirechat im-server should immediately upgrade to version 1.4.3 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, implement strict network-level controls to restrict access to the /fs upload endpoint, such as IP whitelisting, VPN-only access, or web application firewalls with custom rules to detect and block directory traversal patterns in upload requests. Conduct thorough audits of existing server files for unauthorized changes or suspicious files, especially in critical directories. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) tools to monitor for anomalous file writes or process executions. Review and harden file system permissions to minimize the write capabilities of the im-server process, limiting potential damage scope. Regularly back up server configurations and data to enable recovery from compromise. Finally, educate development and operations teams on secure file upload handling and input validation best practices to prevent similar issues in the future.