Home > Vulnerability Database > CVE-2025-50202

Mend.io Vulnerability Database

CVE-2025-50202

Good to know:

Date: June 17, 2025

Lychee is a free photo-management tool. In versions starting from 6.6.6 to before 6.6.10, an attacker can leak local files including environment variables, nginx logs, other user's uploaded images, and configuration secrets due to a path traversal exploit in SecurePathController.php. This issue has been patched in version 6.6.10.

Severity Score

7.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-50202

Url: https://github.com/LycheeOrg/Lychee/commit/ae7270b7b47e4a284ea1f69d260e52d592711072

Url: https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-6rj9-gm78-vhf9

Url: https://github.com/LycheeOrg/Lychee/blob/0709f5d984d4df77fc5e23a29a0231437e684e99/app/Http/Controllers/SecurePathController.php#L61

Url: https://www.mend.io/vulnerability-database/CVE-2025-50202

Severity Score

7.5

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version lychee-org/lychee - 6.6.10;https://github.com/LycheeOrg/Lychee.git - v6.6.10

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-50202

Good to know:

Date: June 17, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?