CVE-2025-61506

CRITICAL

MediaCrush < 1.0.1 - Unauthenticated Arbitrary File Upload via /upload Endpoint

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-61506. PoCs published by pescada-dev.

AI-analyzed exploit summary This PoC demonstrates an unrestricted file upload vulnerability (CWE-434) in MediaCrush, allowing unauthenticated attackers to upload arbitrarily large files, leading to denial of service (DoS) by exhausting disk storage and crashing the application.

Description

An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint.

Exploits (1)

nomisec WORKING POC 1 stars

by pescada-dev · poc

https://github.com/pescada-dev/CVE-2025-61506

View Code ZIP pw:eip

This PoC demonstrates an unrestricted file upload vulnerability (CWE-434) in MediaCrush, allowing unauthenticated attackers to upload arbitrarily large files, leading to denial of service (DoS) by exhausting disk storage and crashing the application.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: MediaCrush thru 1.0.1

No auth needed

Prerequisites: Local or remote MediaCrush instance running · Python 2.7, Flask 0.10.1, Redis, and Celery setup

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://gist.github.com/pescada-dev/a046d36e8026bbaf1ee591c6dad0d7e6

Scores

CVSS v3 9.8

EPSS 0.0056

EPSS Percentile 41.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

mediacrush/mediacrush < 1.0.1

Published Feb 03, 2026

Tracked Since Feb 18, 2026