Mediacrush
CVE-2025-61506
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint.
AnalysisAI
MediaCrush through version 1.0.1 allows unauthenticated arbitrary file upload without file type restrictions, enabling web shell deployment and remote code execution.
Technical ContextAI
MediaCrush <= 1.0.1 has a CWE-434 unrestricted file upload that accepts any file type without authentication, allowing direct upload and execution of web shells.
RemediationAI
Do not expose MediaCrush to the internet. Implement authentication and file type validation.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today