CVE-2025-50735: 
NextChat vulnerability analysis and mitigation

Directory traversal vulnerability identified in NextChat through version 2.16.0 (CVE-2025-50735). The vulnerability exists in the WebDAV proxy component which fails to properly canonicalize or reject dot path segments in its catch-all route. This vulnerability was disclosed on November 3, 2025 (NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 7.5 (High). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and no user interaction (UI:N). The scope is unchanged (S:U) with high impact on confidentiality (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD, AttackerKB).

The vulnerability allows attackers to gain access to sensitive information through both authenticated and anonymous WebDAV endpoints. The high CVSS score of 7.5 indicates significant potential impact, particularly concerning data confidentiality (NVD).

Users should upgrade NextChat to a version newer than 2.16.0 once available. As this is a recently disclosed vulnerability, organizations should monitor vendor announcements for patch availability (NVD).