CVE-2025-67720
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-67720
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67720.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-67720
- Aliases
- Published
- 2025-12-11T01:25:46.459Z
- Modified
- 2025-12-11T02:41:36.863755Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Pyrofork has a Path Traversal in download_media Method
- Details
-
Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the downloadmedia method before using them in file path construction. When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the filename attribute from the media object. The attribute originates from Telegram's DocumentAttributeFilename and is controlled by the message sender. This issue is fixed in version 2.3.69.
- Database specific
{ "cwe_ids": [ "CWE-22" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67720.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67720.json
- https://github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95
- https://github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx
- https://nvd.nist.gov/vuln/detail/CVE-2025-67720
Affected packages
Git / github.com/mayuri-chan/pyrofork
Affected versions
v2.*
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.11.post1
v2.3.11.post2
v2.3.11.post3
v2.3.11.post4
v2.3.11.post5
v2.3.11.post6
v2.3.12
v2.3.12.post1
v2.3.13
v2.3.13.post1
v2.3.14
v2.3.14.post1
v2.3.14.post2
v2.3.15
v2.3.15.post1
v2.3.15.post2
v2.3.15.post3
v2.3.15.post4
v2.3.15.post5
v2.3.16
v2.3.16.post1
v2.3.16.post2
v2.3.16.post3
v2.3.16.post4
v2.3.16.post5
v2.3.17
v2.3.17.post1
v2.3.17.post2
v2.3.18
v2.3.19
v2.3.19.post1
v2.3.19.post2
v2.3.2
v2.3.20
v2.3.21
v2.3.21.post1
v2.3.21.post2
v2.3.21.post3
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
v2.3.28
v2.3.29
v2.3.3
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.4
v2.3.40
v2.3.41
v2.3.42
v2.3.43
v2.3.44
v2.3.45
v2.3.46
v2.3.47
v2.3.48
v2.3.49
v2.3.5
v2.3.5.post2
v2.3.50
v2.3.51
v2.3.52
v2.3.53
v2.3.54
v2.3.55
v2.3.56
v2.3.57
v2.3.58
v2.3.59
v2.3.6
v2.3.6.post1
v2.3.6.post2
v2.3.6.post3
v2.3.60
v2.3.61
v2.3.62
v2.3.63
v2.3.64
v2.3.65
v2.3.66
v2.3.67
v2.3.68
v2.3.7
v2.3.8
v2.3.8.post1
v2.3.8.post2
v2.3.8.post3
v2.3.9
v2.3.9.post1
v2.3.9.post2