EUVD-2025-19226
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Gallery allows Path Traversal. This issue affects FW Gallery: from n/a through 8.0.0.
Analysis
Path traversal vulnerability in Fastw3b LLC FW Gallery (versions through 8.0.0) that allows unauthenticated remote attackers to cause denial of service by manipulating file path parameters. The vulnerability has a high CVSS score of 8.6 due to its network accessibility and lack of authentication requirements, though impact is limited to availability rather than confidentiality or integrity. Specific KEV status, EPSS scores, and publicly available POC information cannot be confirmed from the provided data, warranting immediate vendor contact for patch availability and exploitation status.
Technical Context
This vulnerability exploits improper input validation in file path handling mechanisms within FW Gallery, a web-based gallery application by Fastw3b LLC. The root cause falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a classic path traversal flaw where user-supplied path input is not adequately sanitized before being used in file system operations. Attackers can craft malicious path parameters containing directory traversal sequences (e.g., '../', '..\') to access files and directories outside the intended restricted directory. The web-based nature (AV:N in CVSS vector) indicates the vulnerability is exploitable via standard HTTP requests without local access. The lack of required privileges (PR:N) and user interaction (UI:N) means exploitation requires no authentication or social engineering.
Affected Products
Fastw3b LLC FW Gallery versions from unspecified baseline through 8.0.0 inclusive. The description provides no specific CPE string, lower version boundary, or patch version information. Affected configurations include any deployment of FW Gallery 8.0.0 or earlier exposed to untrusted network input. Vendor advisories from Fastw3b LLC should be consulted for: (1) exact affected version range, (2) patched version availability (likely 8.0.1 or later), (3) official CVE advisory URL, (4) workaround guidance. The product appears to be a web application gallery manager, likely installed on web servers running PHP, Node.js, or similar platforms.
Remediation
Immediate remediation steps: (1) Upgrade FW Gallery to the latest patched version released by Fastw3b LLC (vendor contact required as patch version not specified in provided data); (2) If immediate patching is unavailable, implement input validation/sanitization in the application layer or via web application firewall (WAF) rules to reject or encode path traversal sequences ('../', '..\', URL-encoded variants like '%2e%2e/'); (3) Apply principle of least privilege to the web application's file system access—run the gallery application under a restricted user account with minimal directory permissions; (4) Disable directory listing and implement strict access controls on sensitive directories; (5) Monitor application logs for suspicious path traversal attempts (sequences with '..' or unusual path patterns); (6) Consider network segmentation to limit exposure of the FW Gallery application to trusted users only. Consult Fastw3b LLC's official security advisory and GitHub repository for patch downloads and detailed remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today