CVE-2025-67720 is a path traversal vulnerability classified under CWE-22, affecting the pyrofork framework, a modern asynchronous MTProto API framework used to interact with Telegram. In versions 2.3.68 and earlier, the download_media method does not properly sanitize filenames when saving media files received via Telegram messages. Specifically, if a user does not specify a custom filename, the method defaults to using the file_name attribute from the media object, which originates from Telegram's DocumentAttributeFilename. This attribute is controlled by the message sender, meaning an attacker can craft a malicious filename containing path traversal sequences (e.g., '../') to escape the intended download directory. This improper limitation of pathname allows an attacker to write files to arbitrary locations on the filesystem where the application has write permissions. The vulnerability requires user interaction (the user triggering a media download) but no authentication or privileges, making it relatively easy to exploit remotely. The impact is primarily on integrity, as an attacker could overwrite or create files outside the designated directory, potentially leading to code injection, configuration tampering, or other malicious modifications. Confidentiality and availability are not directly impacted. The issue was addressed and fixed in pyrofork version 2.3.69 by implementing proper filename sanitization and path restrictions. There are no known exploits in the wild as of the publication date (December 11, 2025).

For European organizations, the primary impact of this vulnerability is the potential compromise of system integrity through unauthorized file writes. Organizations using pyrofork to integrate Telegram messaging or media downloads in their applications or services could be at risk of attackers overwriting critical files, injecting malicious code, or altering configurations, which could lead to further compromise or lateral movement within networks. While confidentiality and availability are not directly affected, the integrity breach could facilitate subsequent attacks such as privilege escalation or persistent backdoors. The requirement for user interaction (downloading media) means social engineering or targeted phishing campaigns could be used to trigger exploitation. Given the widespread use of Telegram in Europe for both personal and business communications, and the adoption of pyrofork in development projects, the risk is non-negligible. Organizations handling sensitive data or critical infrastructure should prioritize patching to prevent potential exploitation.

1. Immediately upgrade pyrofork to version 2.3.69 or later, where the vulnerability is fixed. 2. Implement additional filename validation and sanitization at the application level to reject or neutralize path traversal sequences before file operations. 3. Restrict the directories where media files can be saved by enforcing strict path constraints and using sandboxed or containerized environments to limit filesystem access. 4. Employ file integrity monitoring tools to detect unauthorized changes or additions to critical directories. 5. Educate users and administrators about the risks of downloading untrusted media files from Telegram, emphasizing caution with unknown senders. 6. Monitor application logs for suspicious file path patterns or errors related to file operations that could indicate attempted exploitation. 7. Consider deploying endpoint protection solutions that can detect and block attempts to write files outside expected directories. 8. Review and harden permissions on filesystem directories used by pyrofork to minimize the impact of any successful exploitation.