CVE-2025-50202

| EUVD-2025-18624 HIGH
2025-06-18 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 22:49 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 22:49 euvd
EUVD-2025-18624
CVE Published
Jun 18, 2025 - 05:15 nvd
HIGH 7.5

Tags

PHP Nginx Path Traversal

Description

Lychee is a free photo-management tool. In versions starting from 6.6.6 to before 6.6.10, an attacker can leak local files including environment variables, nginx logs, other user's uploaded images, and configuration secrets due to a path traversal exploit in SecurePathController.php. This issue has been patched in version 6.6.10.

Analysis

Path traversal vulnerability in Lychee photo-management tool (versions 6.6.6 through 6.6.9) that allows unauthenticated remote attackers to read arbitrary files from the server, including environment variables, configuration secrets, nginx logs, and other users' uploaded images. The vulnerability exists in SecurePathController.php and has a CVSS score of 7.5 (high severity) with straightforward network-based exploitation requiring no authentication or user interaction. A patch is available in version 6.6.10.

Technical Context

Lychee is a self-hosted photo management and sharing application built on PHP. The vulnerability is rooted in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal), indicating that the SecurePathController.php component fails to properly sanitize or validate user-supplied path parameters before using them in file system operations. Affected versions 6.6.6 through 6.6.9 contain insufficient input validation that allows attackers to traverse directory structures using path traversal sequences (e.g., '../../../') to access files outside the intended directory boundaries. The vulnerability likely affects the file serving/retrieval mechanisms used by Lychee to manage and access stored images and application files, potentially exposing the entire server filesystem depending on the PHP process permissions and web server configuration.

Affected Products

Lychee photo-management application versions 6.6.6, 6.6.7, 6.6.8, and 6.6.9. The vulnerability is specific to the SecurePathController.php component across these versions. Unaffected versions include 6.6.10 and later. The vulnerability affects all installations regardless of operating system (Linux, Windows, macOS) as long as the vulnerable PHP code is executed. Systems running Lychee versions prior to 6.6.6 or version 6.6.10 and later are not affected by this specific vulnerability.

Remediation

Immediate remediation: (1) Upgrade to Lychee version 6.6.10 or later, which contains the security patch addressing the path traversal vulnerability in SecurePathController.php; (2) If immediate upgrade is not possible, implement network-level access controls to restrict access to the Lychee application to trusted IP addresses only; (3) Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts (patterns like '../', '..\', URL-encoded variants '%2e%2e%2f'); (4) Review web server logs and any accessible files for evidence of exploitation; (5) Rotate all credentials, API keys, and secrets that may have been exposed through environment variable leakage; (6) Audit file permissions to ensure the web server process runs with minimal necessary privileges. Vendor advisory and patch details available from Lychee GitHub repository (https://github.com/LycheeOrg/Lychee).

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2025-50202 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy