CVE-2025-67728 · Fireshare facilitates self-hosted media and link sharing.

01 · The Real Story

This is a booby-trapped loading dock, not a magic internet death ray

CVE-2025-67728 is a filename-driven command injection in Fireshare upload handling affecting <=1.2.30, fixed in v1.3.0. A crafted video filename is folded into a shell command during post-upload processing, which can turn an upload into arbitrary command execution and arbitrary file write/path traversal behavior. The advisory is explicit about the real gate: the attacker must either be an authenticated uploader, or hit an instance where *Public Uploads* is enabled.

The vendor's 9.8 CRITICAL score is technically defensible for the worst-case deployment, but it overstates fleet-wide reality. In practice this is a niche self-hosted app, uploads are optional/restrictable, and unauthenticated exploitation exists only on deployments that deliberately exposed public uploads; those are meaningful friction points, so this lands as HIGH, not CRITICAL.

"Real RCE, but only if attackers can upload; that conditional reachability knocks this down from vendor-critical to high."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach an upload-capable Fireshare endpoint with curl or Burp Suite

The attacker first needs HTTP reachability to a Fireshare instance and a path that accepts uploads. Per the advisory, that means either valid authenticated access or an internet-facing deployment with the *Public Uploads* feature enabled. This is the biggest reality check against the vendor CVSS: the bug is not universally pre-auth remote across all deployments.

Conditions required:

Network reachability to the Fireshare web app
Either valid upload-capable credentials or Public Uploads enabled
Target running Fireshare <=1.2.30

Where this breaks in practice:

Many deployments will not enable public uploads
Reverse proxies, VPN-only publishing, SSO gates, or IP allowlists can block step 1 entirely
Fireshare is a niche self-hosted product, not a broad enterprise staple

Detection/coverage: Most scanners only do version detection here; they generally do not validate whether Public Uploads is enabled. Web access logs can still show unauthenticated hits to upload routes.

STEP 02

Smuggle shell metacharacters through the uploaded filename using curl -F

The exploit is carried in the video filename, sent in multipart form data during upload. The vulnerable code path later concatenates the resulting path into a shell command, so the filename becomes a command-injection primitive rather than just metadata. Because the app still expects a supported video extension, the attacker typically preserves a valid extension while embedding the payload in the basename.

Conditions required:

Upload route accepts the file
Filename reaches backend processing unchanged
Extension passes Fireshare's supported file-type checks

Where this breaks in practice:

Patched versions sanitize filenames with secure_filename()
Operational upload restrictions or file-size limits can reduce exploit attempts
Custom upstream validation on filename characters can kill the payload early

Detection/coverage: HTTP logs, WAFs, or reverse proxies may capture suspicious multipart filenames, but coverage is inconsistent because many controls do not inspect multipart metadata deeply.

STEP 03

Trigger shell execution through Fireshare's vulnerable Popen(..., shell=True) path

The patch diff shows the core bug: vulnerable code invoked Fireshare CLI commands with shell=True, including the upload-driven scan-video path. The fix replaced shell invocation with argument arrays and shell=False, which is the right repair because it removes the shell parser from the path entirely. On unpatched systems, successful upload processing turns attacker-controlled filename content into command execution in the app/container context.

Conditions required:

Upload reaches the post-processing code path
Server executes the vulnerable scan-video or related CLI invocation
No local hardening interrupts child-process creation

Where this breaks in practice:

Upgrade to v1.3.0+ fully breaks this step
Application crashes or worker failures can cause noisy failed exploitation rather than clean RCE
EDR/container runtime policy can stop sh -c style process spawning

Detection/coverage: This is the best runtime choke point: detect python/Fireshare spawning sh, bash, or unexpected child processes inside the container. Version-only scanners cannot see active abuse.

STEP 04

Operate in the container context and tamper with mounted data using standard shell tooling

Post-exploitation impact is serious: arbitrary command execution in the Fireshare runtime can alter application state, drop binaries, and modify any mounted writable volumes exposed to the container. The README shows typical Docker mounts like /data, /processed, /videos, and /images, so the attacker usually gains immediate write access to app data and media stores even if they do not instantly get host root.

Conditions required:

Successful command execution
Writable container filesystem or writable mounted volumes
Outbound network or internal network reachability for follow-on activity

Where this breaks in practice:

Non-root containers, read-only filesystems, seccomp/AppArmor, and tight egress rules reduce blast radius
If the container is heavily sandboxed, impact may stay confined to the service and mounted media paths
No evidence in primary sources that host escape is inherent to this CVE

Detection/coverage: EDR for containerized workloads, Docker event telemetry, and file integrity monitoring on mounted volumes are the practical controls. Look for anomalous writes under /data, /processed, /videos, and /images.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No CISA KEV listing, and I found no primary-source reporting of active campaigns. That absence is an inference from CISA KEV, GHSA, and NVD.
Public exploit / PoC	No reputable public exploit repo was linked in the vendor advisory or NVD references. The patch diff is sufficiently small that a competent attacker can reproduce the bug quickly.
EPSS	`0.00388` per your intel block, which is low for a mass-exploitation candidate. I did not verify the percentile from a primary FIRST per-CVE page.
KEV status	Not listed in the Known Exploited Vulnerabilities catalog at time of review; no CISA due date.
CVSS vector reality check	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` matches the worst case only. In real deployments, `PR:N` is true only when Public Uploads is enabled; otherwise the attacker needs upload-capable authentication.
Affected versions	GitHub advisory says `<=1.2.30`; OSV expands that to affected `v1.*` releases before the fix.
Fixed version	Upgrade to `v1.3.0+`. The patch removes `shell=True` command execution and sanitizes filenames with `secure_filename()` in upload paths.
Exposure / population	Fireshare is internet-share-oriented software, but the reachable population is constrained by it being a niche self-hosted project. The main repo shows about `1.4k` stars and `89` forks, which is not zero but is nowhere near the exposure class of mainstream enterprise platforms.
Deployment pattern and blast radius	The project README says Fireshare is designed to run in Docker and commonly mounts `/data`, `/processed`, `/videos`, and `/images`. That usually means code exec lands in a container context with immediate write reach into app data and media volumes.
Disclosure timeline / reporter	GHSA was published 2025-12-11; NVD shows the CVE published 2025-12-12 with GitHub as CNA. Patched version is `v1.3.0`.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.1/10)

The decisive factor is conditional attacker reachability: unauthenticated exploitation exists only when administrators deliberately enabled public uploads, otherwise the bug requires authenticated upload access. That sharply narrows exposed population versus a true internet-wide pre-auth RCE, but the exploitation path itself is simple and the impact inside the Fireshare runtime is still severe enough to keep this in HIGH.

HIGH Technical impact and fixed-version assessment

HIGH Prerequisite analysis: upload capability is required

MEDIUM Real-world exposure prevalence across deployed Fireshare instances

Why this verdict

Baseline down from 9.8: the vendor score models the worst case, but real exploitation starts with an upload-capable path, not generic anonymous internet reachability on every deployment.
Major friction: Public Uploads is conditional — per the advisory, PR:N only holds when Public Uploads is enabled; otherwise this is authenticated remote abuse, which is post-access and narrower.
Population is small — Fireshare is a niche self-hosted media app, not a common enterprise platform, so the reachable universe is much smaller than the bugs that deserve fleetwide CRITICAL treatment.
Impact stays serious — if you do expose public uploads, exploitation is low-complexity and yields arbitrary command execution in the app/container context with access to mounted data volumes.
Threat intel is quiet — low EPSS, no KEV listing, and no verified primary-source campaign evidence remove the usual amplifier that would push this back toward CRITICAL.

Why not higher?

Because this is not a clean, universal pre-auth internet RCE across the whole install base. The vulnerability depends on an upload-capable path, and the unauthenticated case exists only when admins turned on Public Uploads; that is real deployment friction, not theoretical edge-case handwaving.

Why not lower?

Because once the prerequisite is met, the exploit path is straightforward and the outcome is still arbitrary command execution. On an exposed Fireshare instance with public uploads enabled, this is exactly the kind of bug that becomes an immediate foothold into app data, mounted media volumes, and possible internal pivoting.

05 · Compensating Control

What to do — in priority order.

Disable public uploads — If the business does not explicitly need anonymous uploads, turn them off. This removes the PR:N branch of the attack path and should be completed within 30 days for a HIGH finding; if you knowingly expose Fireshare to the internet, do it sooner.
Put Fireshare behind authentication or private access — Require SSO, VPN, reverse-proxy auth, or IP allowlisting so the upload endpoints are not anonymously reachable from the internet. This is the highest-value exposure reduction step and should be deployed within 30 days.
Constrain the container — Run the service as non-root, keep mounts to the minimum needed, prefer read-only where possible, and apply seccomp/AppArmor or equivalent runtime policy. This does not fix the bug, but it reduces what post-exploitation can touch and should be tightened within 30 days.
Monitor child-process creation from Fireshare — Alert on the Fireshare process or container spawning shells or unexpected binaries, especially sh, bash, curl, wget, or package managers. That gives you runtime detection for exploit attempts and should be turned on within 30 days.
Inspect mounted-volume integrity — Watch /data, /processed, /videos, and /images for unexpected writes, executable drops, or ownership changes. This helps catch successful exploitation and follow-on persistence; stand it up within 30 days.

What doesn't work

A generic WAF-only stance does not solve this reliably; multipart filename fields and app-specific upload routes often slip through unless you wrote very targeted rules.
Running HTTPS/TLS does nothing here; the exploit is in server-side filename handling after the upload is accepted.
Media antivirus scanning is not the main control because the weapon is the filename and shell invocation path, not necessarily malicious video content.

06 · Verification

Crowdsourced verification payload.

Run this on the Docker host that runs Fireshare, not on a random auditor workstation. Invoke it as sudo bash fireshare_cve_2025_67728_check.sh fireshare for a container name, or sudo bash fireshare_cve_2025_67728_check.sh shaneisrael/fireshare:v1.2.30 for an image tag; it needs only read access to the Docker socket.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# fireshare_cve_2025_67728_check.sh
# Check whether a Docker-deployed Fireshare instance appears vulnerable to CVE-2025-67728.
#
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN
#  64 = USAGE ERROR

set -euo pipefail

usage() {
  echo "Usage: $0 <container-name|image:tag|version>" >&2
  echo "Example: $0 fireshare" >&2
  echo "Example: $0 shaneisrael/fireshare:v1.2.30" >&2
  exit 64
}

normalize_version() {
  local v="$1"
  v="${v#v}"
  v="${v%%-*}"
  echo "$v"
}

is_semver() {
  [[ "$1" =~ ^[vV]?[0-9]+\.[0-9]+\.[0-9]+([.-][A-Za-z0-9._-]+)?$ ]]
}

version_le() {
  local a b
  a="$(normalize_version "$1")"
  b="$(normalize_version "$2")"
  [[ "$(printf '%s\n%s\n' "$a" "$b" | sort -V | head -n1)" == "$a" ]]
}

version_ge() {
  local a b
  a="$(normalize_version "$1")"
  b="$(normalize_version "$2")"
  [[ "$(printf '%s\n%s\n' "$a" "$b" | sort -V | tail -n1)" == "$a" ]]
}

resolve_input_to_version() {
  local input="$1"

  if is_semver "$input"; then
    echo "$input"
    return 0
  fi

  if [[ "$input" == *:* ]]; then
    local tag="${input##*:}"
    if is_semver "$tag"; then
      echo "$tag"
      return 0
    fi
    echo "$tag"
    return 0
  fi

  if command -v docker >/dev/null 2>&1; then
    if docker inspect "$input" >/dev/null 2>&1; then
      local image tag
      image="$(docker inspect -f '{{.Config.Image}}' "$input" 2>/dev/null || true)"
      if [[ -n "$image" && "$image" == *:* ]]; then
        tag="${image##*:}"
        echo "$tag"
        return 0
      fi
    fi
  fi

  return 1
}

if [[ $# -ne 1 ]]; then
  usage
fi

TARGET="$1"
VERSION="$(resolve_input_to_version "$TARGET" 2>/dev/null || true)"

if [[ -z "$VERSION" ]]; then
  echo "UNKNOWN - could not resolve a Fireshare version from input '$TARGET'" 
  exit 2
fi

# Common non-pinned tags cannot prove safety.
case "$VERSION" in
  latest|latest-lite|main|master)
    echo "UNKNOWN - image tag '$VERSION' is not a pinned version; inspect your deployment manifest or container provenance"
    exit 2
    ;;
esac

if ! is_semver "$VERSION"; then
  echo "UNKNOWN - resolved tag/version '$VERSION' is not a parseable semantic version"
  exit 2
fi

if version_le "$VERSION" "1.2.30"; then
  echo "VULNERABLE - detected Fireshare version $VERSION (affected: <=1.2.30; fixed in 1.3.0)"
  exit 1
fi

if version_ge "$VERSION" "1.3.0"; then
  echo "PATCHED - detected Fireshare version $VERSION (fixed version threshold: >=1.3.0)"
  exit 0
fi

echo "UNKNOWN - version $VERSION could not be classified confidently"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, identify every Fireshare instance, then split them into two buckets: internet-facing with anonymous/public uploads versus everything else. For this HIGH finding, remove anonymous upload exposure or otherwise gate the service behind authentication within 30 days under the noisgate mitigation SLA, and move every <=1.2.30 deployment to v1.3.0+ within 180 days under the noisgate remediation SLA; if you knowingly run Public Uploads on an internet-exposed node, do not wait for the deadline ceiling.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.