Overview
CVE-2019-25709 is a critical severity vulnerability (CVSS 9.8) affecting CF Image Hosting Script version 1.6.5. The flaw enables unauthenticated remote attackers to directly access and download the application's SQLite database file, extract sensitive delete IDs stored in plaintext, and leverage those IDs to permanently delete all images hosted on the service.
This vulnerability was published to the National Vulnerability Database (NVD) on April 12, 2026, and affects any publicly accessible deployment of CF Image Hosting Script 1.6.5 that has not applied mitigations.
Technical Details
Vulnerability Type
- CWE Classification: Improper Access Control / Information Disclosure
- CVSS Score: 9.8 (Critical)
- Attack Vector: Network (remote, unauthenticated)
- Authentication Required: None
How the Attack Works
The application stores its database file at a predictable and publicly accessible path:
/upload/data/imgdb.db
An attacker can issue a simple HTTP GET request to retrieve the entire SQLite database without any credentials or session tokens. Once downloaded, the database can be deserialized using standard SQLite tooling to expose all stored records.
Within this database, image delete IDs are stored in plaintext. These IDs are the only authorization mechanism protecting image deletion. An attacker who obtains them can submit requests to delete any or all images hosted on the platform — effectively wiping the entire service.
Attack chain summary:
- Attacker sends
GET /upload/data/imgdb.dbto the target server - Server returns the full SQLite database without authentication
- Attacker deserializes database, extracts plaintext delete IDs
- Attacker submits deletion requests using extracted IDs
- All hosted images are deleted — no credentials required
Impact
| Impact Area | Severity |
|---|---|
| Confidentiality | High — Full database exposure |
| Integrity | High — All images can be destroyed |
| Availability | High — Complete content deletion possible |
Any operator running CF Image Hosting Script 1.6.5 with the default configuration is at risk of:
- Complete data theft: All image metadata, URLs, and delete credentials exposed
- Irreversible content deletion: Hosted images can be wiped by any remote actor
- Reputational damage: Users relying on the platform for image hosting lose all content
Affected Versions
| Product | Affected Version | Fixed Version |
|---|---|---|
| CF Image Hosting Script | 1.6.5 | Not confirmed — upgrade recommended |
Remediation
Immediate Mitigations
-
Restrict web server access to the database file. Add a server-level rule to block HTTP access to
*.dbfiles in theupload/data/directory.Apache (.htaccess):
<FilesMatch "\.db$"> Order Allow,Deny Deny from all </FilesMatch>Nginx:
location ~* \.db$ { deny all; return 403; } -
Move the database outside the web root. Store
imgdb.dbin a directory not served by the web server, then update application configuration to reference the new path. -
Rotate delete IDs. Treat all existing delete IDs as compromised. Regenerate credentials if the application supports it.
-
Audit server access logs. Review HTTP access logs for
GET /upload/data/imgdb.dbrequests that may indicate prior exploitation. -
Consider migrating to a maintained alternative. CF Image Hosting Script 1.6.5 appears to be an unmaintained project. Evaluate supported alternatives for production image hosting.
References
- NVD Entry — CVE-2019-25709
- CVSS v3.1 Score: 9.8 Critical
- Published: April 12, 2026
Disclosure Timeline
| Date | Event |
|---|---|
| 2019 (original discovery) | Vulnerability initially identified in CF Image Hosting Script 1.6.5 |
| April 12, 2026 | Published to National Vulnerability Database (NVD) |
This advisory is published for informational and defensive purposes. If you operate CF Image Hosting Script, apply the mitigations above immediately.