CVE-2025-67720: Pyrofork has a Path Traversal in download_media Method

December 10, 2025 (updated December 11, 2025)

The download_media method in Pyrofork does not sanitize filenames received from Telegram messages before using them in file path construction. This allows a remote attacker to write files to arbitrary locations on the filesystem by sending a specially crafted document with path traversal sequences (e.g., ../) or absolute paths in the filename.

References

github.com/Mayuri-Chan/pyrofork
github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95
github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx
github.com/advisories/GHSA-6h2f-wjhf-4wjx
nvd.nist.gov/vuln/detail/CVE-2025-67720

Code Behaviors & Features

Detect and mitigate CVE-2025-67720 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →