CVE-2025-67720 is a medium-severity path traversal vulnerability (CWE-22) in the pyrofork framework, a modern asynchronous MTProto API framework used to interact with Telegram. Versions 2.3.68 and earlier fail to properly sanitize filenames received from Telegram messages in the download_media method. When a user downloads media without specifying a custom filename, pyrofork defaults to using the file_name attribute from the media object, which originates from Telegram's DocumentAttributeFilename. This attribute is controlled by the sender of the Telegram message, meaning an attacker can craft malicious filenames containing path traversal sequences (e.g., ../) to escape the intended download directory. This can lead to overwriting or modifying arbitrary files on the system where pyrofork is running, impacting the integrity of the system. The vulnerability requires user interaction since the victim must receive and process a malicious Telegram message, but no authentication or privileges are required to exploit it. The CVSS v3.1 score is 6.5 (medium), reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and impact limited to integrity. No known exploits are currently reported in the wild. The issue is resolved in pyrofork version 2.3.69 by properly sanitizing and validating filenames before file path construction. This vulnerability is particularly relevant for organizations using pyrofork in Telegram bot or client implementations that automatically download media files, as it could allow attackers to manipulate or corrupt files on the host system.

For European organizations, the primary impact of this vulnerability is on the integrity of systems running vulnerable pyrofork versions. Attackers can overwrite or modify arbitrary files by sending specially crafted Telegram messages, potentially leading to unauthorized code execution, configuration corruption, or disruption of application functionality. While confidentiality and availability are not directly impacted, the integrity compromise could facilitate further attacks or data loss. Organizations relying on Telegram-based automation, bots, or media processing pipelines using pyrofork are at risk. The vulnerability could be exploited to implant malicious files or disrupt critical services, especially in sectors like finance, government, or critical infrastructure where Telegram is used for communication or automation. The requirement for user interaction (receiving a malicious message) limits mass exploitation but targeted attacks remain a concern. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

European organizations should immediately upgrade pyrofork to version 2.3.69 or later to apply the official fix. Until upgrade is possible, implement strict input validation and sanitization on filenames derived from Telegram messages, rejecting or neutralizing any path traversal sequences such as '../'. Employ file system access controls and sandboxing to restrict the directories where pyrofork can write files, minimizing potential damage from exploitation. Monitor logs for suspicious file write activities and unexpected file modifications. Consider disabling automatic media downloads or requiring explicit user confirmation before downloading files. Additionally, apply network-level filtering to limit exposure to untrusted Telegram messages where feasible. Conduct security reviews of Telegram bot implementations to ensure they do not blindly trust user-supplied filenames. Finally, maintain awareness of updates and advisories related to pyrofork and Telegram API integrations.