CVE-2025-32807

A path traversal vulnerability in FusionDirectory before 1.5 allows remote attackers to read arbitrary files on the host that end with .png (and .svg or .xpm for some configurations) via the icon parameter of a GET request to geticon.php.

References

Affected packages

Git / gitlab.fusiondirectory.org/fusiondirectory/fd

Affected ranges

Type: GIT
Repo: https://gitlab.fusiondirectory.org/fusiondirectory/fd
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9edefd0b367450d665a141c5e94db8a06d208556

Affected versions

fusiondirectory-1.*

fusiondirectory-1.0

fusiondirectory-1.0.1

fusiondirectory-1.0.10

fusiondirectory-1.0.11

fusiondirectory-1.0.12

fusiondirectory-1.0.13

fusiondirectory-1.0.14

fusiondirectory-1.0.15

fusiondirectory-1.0.16

fusiondirectory-1.0.17

fusiondirectory-1.0.18

fusiondirectory-1.0.19

fusiondirectory-1.0.2

fusiondirectory-1.0.20

fusiondirectory-1.0.3

fusiondirectory-1.0.4

fusiondirectory-1.0.5

fusiondirectory-1.0.6

fusiondirectory-1.0.7

fusiondirectory-1.0.7.1

fusiondirectory-1.0.7.2

fusiondirectory-1.0.7.3

fusiondirectory-1.0.7.4

fusiondirectory-1.0.8

fusiondirectory-1.0.8.1

fusiondirectory-1.0.8.2

fusiondirectory-1.0.8.3

fusiondirectory-1.0.8.4

fusiondirectory-1.0.8.5

fusiondirectory-1.0.8.6

fusiondirectory-1.0.8.7

fusiondirectory-1.0.8.8

fusiondirectory-1.0.8.9

fusiondirectory-1.0.9

fusiondirectory-1.0.9.1

fusiondirectory-1.0.9.2

fusiondirectory-1.0.9.3

fusiondirectory-1.1

fusiondirectory-1.1.1

fusiondirectory-1.2

fusiondirectory-1.2.1

fusiondirectory-1.2.2

fusiondirectory-1.2.3

fusiondirectory-1.3

fusiondirectory-1.3.1

fusiondirectory-1.4