Medium severity6.5NVD Advisory· Published Dec 11, 2025· Updated Apr 15, 2026
CVE-2025-67720
CVE-2025-67720
Description
Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the file_name attribute from the media object. The attribute originates from Telegram's DocumentAttributeFilename and is controlled by the message sender. This issue is fixed in version 2.3.69.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyroforkPyPI | < 2.3.69 | 2.3.69 |
Affected products
1Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.