CVE-2025-63365 Overview
CVE-2025-63365 is a high-severity Directory Traversal vulnerability affecting SoftSea EPUB File Reader version 1.0.0.0. The vulnerability resides in the EPUB file processing component, specifically in the functionality responsible for extracting and handling EPUB archive contents. This flaw allows attackers to craft malicious EPUB files that, when processed by the vulnerable application, can write files to arbitrary locations on the victim's system or read sensitive files outside the intended directory structure.
Critical Impact
Successful exploitation of this directory traversal vulnerability could allow attackers to achieve high confidentiality and integrity impact by reading sensitive files or overwriting critical system files when a user opens a maliciously crafted EPUB file.
Affected Products
- SoftSea EPUB File Reader 1.0.0.0
Discovery Timeline
- 2025-12-01 - CVE-2025-63365 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-63365
Vulnerability Analysis
This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal. The vulnerability carries a CVSS v3.1 score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.
The CVSS metrics indicate:
- Attack Vector (AV:L): Local - requires the attacker to deliver a malicious file to the victim
- Attack Complexity (AC:L): Low - exploitation is straightforward once the malicious file is opened
- Privileges Required (PR:N): None - no special privileges needed
- User Interaction (UI:R): Required - victim must open the malicious EPUB file
- Confidentiality Impact (C:H): High - sensitive files can be read
- Integrity Impact (I:H): High - arbitrary files can be written/modified
- Availability Impact (A:N): None - the vulnerability does not affect system availability
The EPSS (Exploit Prediction Scoring System) probability is 0.049% (15th percentile), indicating a relatively low likelihood of exploitation in the wild as of 2025-12-16.
Root Cause
The root cause of CVE-2025-63365 lies in insufficient validation of file paths during EPUB archive extraction. EPUB files are essentially ZIP archives containing structured content (HTML, CSS, images, and metadata). When the SoftSea EPUB File Reader extracts these contents, it fails to properly sanitize file paths contained within the archive.
The application does not adequately check for path traversal sequences such as ../ (dot-dot-slash) within the filenames of archived entries. This allows an attacker to craft an EPUB file where internal file entries contain relative path components that escape the intended extraction directory.
Attack Vector
The attack requires local access in the sense that an attacker must deliver a malicious EPUB file to the victim. This can be accomplished through various social engineering techniques:
- Email attachment: Sending a malicious EPUB file disguised as a legitimate document
- Malicious download: Hosting the crafted EPUB on compromised or attacker-controlled websites
- File sharing platforms: Distributing through legitimate file-sharing services
When the victim opens the malicious EPUB file with SoftSea EPUB File Reader 1.0.0.0, the application processes the archive and extracts files. Due to the lack of path validation, files within the EPUB containing traversal sequences like ../../../../../../etc/target or ..\..\..\..\Windows\target are written outside the intended extraction directory.
This could allow an attacker to:
- Overwrite configuration files to achieve persistence or privilege escalation
- Plant malicious executables in startup directories
- Read sensitive files by manipulating the extraction process
- Corrupt system files leading to application or system instability
Detection Methods for CVE-2025-63365
Indicators of Compromise
- Presence of EPUB files containing entries with ../ or ..\ path traversal sequences
- Unexpected files appearing in system directories after opening EPUB files
- Modified configuration files or executables in user profile or system directories
- File system activity showing writes to directories outside normal EPUB reader cache/temp locations
- Suspicious EPUB files with unusually structured manifest or container files
Detection Strategies
Organizations should implement file integrity monitoring (FIM) to detect unauthorized changes to critical system files and directories. Security teams can deploy endpoint detection rules that monitor for:
- File extraction patterns: Monitor for file write operations that traverse outside expected application directories when EPUB reader processes are active
- Archive analysis: Implement content inspection for EPUB files at email gateways and web proxies to detect malicious path sequences
- Process monitoring: Track child processes and file operations initiated by SoftSea EPUB File Reader for suspicious behavior
SentinelOne Singularity Platform provides behavioral AI-based detection that can identify suspicious file system activities associated with directory traversal exploitation attempts, including unexpected file writes to sensitive directories when document readers are processing files.
Monitoring Recommendations
- Enable detailed file system auditing on endpoints running vulnerable EPUB reader software
- Configure alerts for file writes to sensitive directories (startup folders, system directories, user profile locations) originating from document reader applications
- Implement application allowlisting to restrict which applications can write to critical system paths
- Deploy network-level inspection to scan EPUB files for malicious path sequences before delivery to endpoints
How to Mitigate CVE-2025-63365
Immediate Actions Required
- Discontinue use of SoftSea EPUB File Reader version 1.0.0.0 until a patched version is available
- Implement email filtering rules to quarantine or scan EPUB attachments before delivery
- Use alternative EPUB readers that properly validate file paths during archive extraction
- Educate users about the risks of opening EPUB files from untrusted sources
- Deploy application-level sandboxing to isolate document readers from the broader file system
Patch Information
As of the last modification date (2025-12-02), no official patch information has been published by the vendor. Organizations should monitor the following resources for updates:
- Jeroscope Security Advisory - Original vulnerability disclosure
- EPUB Official Site - Vendor communication channel
Until an official patch is released, organizations should implement the workarounds described below and consider migrating to alternative EPUB reader software.
Workarounds
In the absence of an official patch, the following workarounds can help mitigate the risk:
- Application sandboxing: Run SoftSea EPUB File Reader in a sandboxed environment or virtual machine to limit file system access
- File system permissions: Restrict write permissions for the user account running the EPUB reader to prevent writes to sensitive directories
- Alternative software: Use alternative EPUB readers with proper path validation such as Calibre, Adobe Digital Editions, or browser-based readers
- Gateway filtering: Implement email and web gateway rules to block or quarantine EPUB files from untrusted sources
Organizations can implement restrictive file system access controls to limit the impact of potential exploitation:
# Example: Create a restricted user for EPUB reader (Linux)
# This limits the directories the application can write to
useradd -m -s /bin/bash epub_reader_user
chmod 700 /home/epub_reader_user
# Restrict access to sensitive directories
setfacl -m u:epub_reader_user:--- /etc
setfacl -m u:epub_reader_user:--- /usr
setfacl -m u:epub_reader_user:--- /var
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
