CVE-2025-66480 is a critical security vulnerability affecting the wildfirechat im-server component before version 1.4.3. The flaw exists in the file upload functionality handled by the UploadFileAction class, specifically in the writeFileUploadData method. This method concatenates the configured storage directory path with the user-supplied filename from multipart upload requests without proper sanitization or validation. As a result, directory traversal sequences such as "../" are not stripped, enabling attackers to escape the intended storage directory. This allows arbitrary file writes to any location on the server's filesystem where the application process has write permissions. An attacker can exploit this to upload malicious payloads, including scripts or executables, or overwrite sensitive files like authorized_keys or cron job configurations, leading to remote code execution (RCE) and full server compromise. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network via the exposed /fs endpoint. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation and severe impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported yet. The issue is resolved in wildfirechat im-server version 1.4.3 by properly sanitizing filenames to prevent directory traversal.

For European organizations, this vulnerability poses a significant risk of complete server compromise if they use vulnerable versions of wildfirechat im-server. Attackers can gain unauthorized access, execute arbitrary code, and potentially move laterally within networks, leading to data breaches, service disruptions, and loss of sensitive communications. Given wildfirechat's use in instant messaging and real-time audio/video communication, exploitation could disrupt critical business communications and expose confidential information. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk due to the sensitive nature of their communications and regulatory requirements. The lack of authentication or user interaction needed for exploitation increases the threat level, making automated attacks feasible. Additionally, compromised servers could be used as footholds for further attacks or as part of botnets, amplifying the impact.

European organizations should immediately upgrade wildfirechat im-server to version 1.4.3 or later, where the vulnerability is fixed. Until upgrading, implement strict network-level access controls to restrict access to the /fs upload endpoint only to trusted users or internal networks. Employ web application firewalls (WAFs) with custom rules to detect and block directory traversal patterns in file upload requests. Conduct thorough audits of server file permissions to minimize writable directories by the application process, reducing the potential impact of arbitrary file writes. Monitor server logs for suspicious upload activity or unexpected file modifications. Implement intrusion detection systems (IDS) to alert on anomalous behavior indicative of exploitation attempts. Additionally, review and harden SSH authorized_keys and cron job configurations to detect unauthorized changes. Establish an incident response plan to quickly isolate and remediate compromised systems. Finally, educate development teams on secure file handling practices to prevent similar vulnerabilities.