CVE-2025-50202 Overview
CVE-2025-50202 is a path traversal vulnerability [CWE-22] in Lychee, an open-source photo-management application. The flaw affects versions starting from 6.6.6 up to but not including 6.6.10. An unauthenticated remote attacker can exploit improper path validation in SecurePathController.php to read arbitrary files on the host. Accessible content includes environment variables, nginx logs, other users' uploaded images, and configuration secrets. The maintainers patched the issue in Lychee 6.6.10.
Critical Impact
Remote unauthenticated attackers can read sensitive local files including .env secrets, web server logs, and other users' private images.
Affected Products
- Lychee versions 6.6.6 through 6.6.9
- Component: app/Http/Controllers/SecurePathController.php
- Fixed in Lychee 6.6.10
Discovery Timeline
- 2025-06-18 - CVE-2025-50202 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-50202
Vulnerability Analysis
Lychee uses a signed-URL mechanism implemented in SecurePathController to deliver protected assets such as user-uploaded images. The controller resolves a requested path relative to the configured storage disk and streams the file back to the client. In affected versions, the controller did not reject path components that escape the intended storage root. An attacker supplying traversal sequences such as ../ could resolve paths outside the storage directory and obtain arbitrary readable files served by the application user.
The vulnerability exposes confidentiality but does not affect integrity or availability. Exploitable assets include the Laravel .env file containing database credentials and application keys, nginx access and error logs, and image files belonging to other Lychee users. The attack requires no authentication and no user interaction, making automated mass exploitation against internet-exposed Lychee instances feasible.
Root Cause
The root cause is missing canonicalization and boundary checking on user-supplied path input within SecurePathController. The controller trusted the resolved path without verifying that the final location remained inside the permitted storage disk root. The patch introduces a dedicated PathTraversalException and a SecurePathRequest form-request class to validate input before the controller resolves the file path.
Attack Vector
Exploitation occurs over the network against the Lychee HTTP endpoints handling secure paths. An attacker crafts a URL containing directory traversal sequences targeting the SecurePathController route. Because authentication is not required for signed-path delivery, an attacker only needs reachability to the application.
// Patch excerpt: new PathTraversalException class introduced in fix
<?php
namespace App\Exceptions\SecurePaths;
use App\Exceptions\BaseLycheeException;
use Symfony\Component\HttpFoundation\Response;
/**
* PathTraversalException.
*
* This exception is thrown when a path traversal attack is detected.
* We throw an error 418 because we use this with fail-to-ban for the honeypot.
*/
class PathTraversalException extends BaseLycheeException
{
public function __construct(string $msg, ?\Throwable $previous = null)
{
parent::__construct(Response::HTTP_I_AM_A_TEAPOT, $msg, $previous);
}
}
// Source: https://github.com/LycheeOrg/Lychee/commit/ae7270b7b47e4a284ea1f69d260e52d592711072
The controller patch additionally wires in request validation:
use App\Exceptions\SecurePaths\InvalidPayloadException;
use App\Exceptions\SecurePaths\InvalidSignatureException;
use App\Exceptions\SecurePaths\PathTraversalException;
use App\Exceptions\SecurePaths\SignatureExpiredException;
use App\Exceptions\SecurePaths\WrongPathException;
use App\Http\Requests\SecurePath\SecurePathRequest;
// Source: https://github.com/LycheeOrg/Lychee/commit/ae7270b7b47e4a284ea1f69d260e52d592711072
Detection Methods for CVE-2025-50202
Indicators of Compromise
- HTTP requests to Lychee secure-path routes containing ../, ..%2F, %2e%2e/, or other encoded traversal sequences.
- Web server access log entries showing 200 responses for path segments that reference .env, storage/logs, or /etc/.
- Unexpected outbound transfers of .env content, nginx logs, or images belonging to unrelated user accounts.
- HTTP 418 responses from a patched server, indicating attempted traversal detected by the new PathTraversalException handler.
Detection Strategies
- Inspect web access logs for traversal patterns targeting Lychee endpoints handled by SecurePathController.
- Alert on responses where the URL path contains traversal tokens followed by sensitive filenames such as .env, nginx.conf, or error.log.
- Correlate repeated requests from a single source IP that iterate filenames, indicating automated file enumeration.
Monitoring Recommendations
- Enable verbose logging on the reverse proxy in front of Lychee and forward logs to a centralized analytics platform.
- Monitor file-access auditing on the Lychee storage directory and parent paths for reads originating from the PHP-FPM or web server process.
- Track Lychee version inventory across hosts to identify instances still running 6.6.6 through 6.6.9.
How to Mitigate CVE-2025-50202
Immediate Actions Required
- Upgrade Lychee to version 6.6.10 or later, which contains the upstream fix.
- Rotate all secrets stored in the Lychee .env file, including APP_KEY, database credentials, and mail credentials, assuming exposure.
- Audit web server and application logs for traversal attempts dating back to the deployment of any affected version.
- Restrict network exposure of Lychee instances to trusted networks until patching is complete.
Patch Information
The fix is delivered in Lychee 6.6.10 via commit ae7270b7b47e4a284ea1f69d260e52d592711072. The patch introduces a dedicated PathTraversalException and a SecurePathRequest validation class that rejects traversal sequences before path resolution. See the GitHub Security Advisory GHSA-6rj9-gm78-vhf9 and the upstream commit for full diff details.
Workarounds
- Place a reverse proxy or web application firewall rule in front of Lychee that blocks requests containing ../, ..\, %2e%2e, or null-byte sequences in the URL path or query string.
- Run the Lychee process under a least-privilege user account with read access restricted to the storage directory only.
- Relocate the .env file and configuration secrets outside any directory served by the web root and tighten filesystem permissions.
# Example nginx rule to block traversal patterns against Lychee
location / {
if ($request_uri ~* "(\.\./|\.\.\\|%2e%2e|%252e%252e)") {
return 418;
}
try_files $uri $uri/ /index.php?$query_string;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
