VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Dec 11, 2025· Updated Apr 15, 2026

CVE-2025-67720

CVE-2025-67720

Description

Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the file_name attribute from the media object. The attribute originates from Telegram's DocumentAttributeFilename and is controlled by the message sender. This issue is fixed in version 2.3.69.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pyrofork versions ≤2.3.68 and earlier have a path traversal vulnerability in download_media, allowing attackers to write files to arbitrary locations via crafted filenames.

Vulnerability

Overview

CVE-2025-67720 is a path traversal vulnerability in Pyrofork, an asynchronous MTProto API framework for Telegram. The download_media method in versions 2.3.68 and earlier does not sanitize filenames received from Telegram messages before using them in file path construction. When a[1]. When a user downloads media without specifying a custom filename (the common default usage), the method falls back to using the file_name attribute from the media object, which originates from Telegram's DocumentAttributeFilename and is controlled by the message sender [1][2].

Exploitation

Details

An attacker can exploit this by sending a specially crafted document with path traversal sequences (e.g., ../) or absolute paths in the filename [1]. The vulnerable code path occurs in pyrogram/methods/messages/download_media.py where os.path.split() returns an empty filename when the user provides only a directory path, causing the code to use the attacker-controlled media_file_name [1]. The subsequent os.path.join() call does not prevent path traversal, allowing the attacker to write files outside the intended download directory [1]. The existing check for absolute paths is insufficient because it only handles absolute paths by skipping the directory prefix, but relative paths with ../ bypass this check [1].

Impact

A remote attacker can write files to arbitrary locations on the filesystem of the user running Pyrofork [1]. This could lead to overwriting critical files, planting malicious scripts, or other unauthorized file operations depending on the permissions of the Pyrofork process [1]. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3 score of 6.5 (Medium) [1][2].

Mitigation

The issue is fixed in Pyrofork version 2.3.69 [1][2]. The fix, implemented in commit 2f2d515, sanitizes filenames by removing path components using os.path.basename(), removing null bytes, and handling edge cases like empty or dot filenames [4]. Users should upgrade to version 2.3.69 or later to mitigate this vulnerability [1][2].

References
  1. Path Traversal in `download_media` Method
  2. NVD - CVE-2025-67720
  3. pyrofork: fix(security): sanitize file names to prevent CWE-22 path t… · Mayuri-Chan/pyrofork@2f2d515

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pyroforkPyPI
< 2.3.692.3.69

Affected products

1

Patches

1
2f2d515575cc

pyrofork: fix(security): sanitize file names to prevent CWE-22 path traversal

https://github.com/Mayuri-Chan/pyroforkyueyueLDec 10, 2025via ghsa
commit
1 file changed · +11 0
  • pyrogram/methods/messages/download_media.py+11 0 modified
    @@ -150,6 +150,17 @@ async def progress(current, total):
         directory, file_name = os.path.split(file_name)
         file_name = file_name or media_file_name or ""
 
+        # Sanitize file name
+        # CWE-22: Path Traversal
+        if file_name:
+            # Remove any path components, keeping only the basename
+            file_name = os.path.basename(file_name)
+            # Remove null bytes which could cause issues
+            file_name = file_name.replace('\x00', '')
+            # Handle edge cases
+            if not file_name or file_name in ('.', '..'):
+                file_name = ""
+
         if not os.path.isabs(file_name):
             directory = self.PARENT_DIR / (directory or DEFAULT_DOWNLOAD_DIR)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.