CVE-2025-55194 (GCVE-0-2025-55194)
Vulnerability from cvelistv5 – Published: 2025-08-13 22:46 – Updated: 2025-08-14 14:51
VLAI?
Title
Part-DB Persistent Denial of Service via Uncaught Exception from Misleading File Extension in Avatar Upload
Summary
Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user’s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3.
Severity ?
5.7 (Medium)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Part-DB | Part-DB-server |
Affected:
< 1.17.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55194",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T14:33:50.624240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:51:03.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Part-DB-server",
"vendor": "Part-DB",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user\u2019s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T22:46:30.217Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww"
},
{
"name": "https://github.com/Part-DB/Part-DB-server/commit/d370f976a7b0c19d502aadbaa0f93eb90c2a6ffa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Part-DB/Part-DB-server/commit/d370f976a7b0c19d502aadbaa0f93eb90c2a6ffa"
},
{
"name": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view"
}
],
"source": {
"advisory": "GHSA-7rv3-rcxv-69ww",
"discovery": "UNKNOWN"
},
"title": "Part-DB Persistent Denial of Service via Uncaught Exception from Misleading File Extension in Avatar Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55194",
"datePublished": "2025-08-13T22:46:30.217Z",
"dateReserved": "2025-08-08T21:55:07.963Z",
"dateUpdated": "2025-08-14T14:51:03.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-55194\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-13T23:15:27.327\",\"lastModified\":\"2025-08-26T19:17:38.583\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user\u2019s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3.\"},{\"lang\":\"es\",\"value\":\"Part-DB es un sistema de gesti\u00f3n de inventario de c\u00f3digo abierto para componentes electr\u00f3nicos. Antes de la versi\u00f3n 1.17.3, cualquier usuario autenticado pod\u00eda subir una foto de perfil con una extensi\u00f3n de archivo enga\u00f1osa (p. ej., .jpg.txt), lo que provocaba un error interno del servidor 500 persistente al intentar ver o editar el perfil de dicho usuario. Esto hac\u00eda que el perfil fuera permanentemente inaccesible a trav\u00e9s de la interfaz de usuario, tanto para usuarios como para administradores, lo que constitu\u00eda una denegaci\u00f3n de servicio (DoS) en la interfaz de administraci\u00f3n de usuarios. Este problema se ha corregido en la versi\u00f3n 1.17.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-248\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:part-db_project:part-db:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.17.3\",\"matchCriteriaId\":\"F453A4D0-539A-4D14-B66E-7C9FC4C6B04F\"}]}]}],\"references\":[{\"url\":\"https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\"]},{\"url\":\"https://github.com/Part-DB/Part-DB-server/commit/d370f976a7b0c19d502aadbaa0f93eb90c2a6ffa\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\"]},{\"url\":\"https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55194\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-14T14:33:50.624240Z\"}}}], \"references\": [{\"url\": \"https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-14T13:41:59.829Z\"}}], \"cna\": {\"title\": \"Part-DB Persistent Denial of Service via Uncaught Exception from Misleading File Extension in Avatar Upload\", \"source\": {\"advisory\": \"GHSA-7rv3-rcxv-69ww\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Part-DB\", \"product\": \"Part-DB-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.17.3\"}]}], \"references\": [{\"url\": \"https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww\", \"name\": \"https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-7rv3-rcxv-69ww\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Part-DB/Part-DB-server/commit/d370f976a7b0c19d502aadbaa0f93eb90c2a6ffa\", \"name\": \"https://github.com/Part-DB/Part-DB-server/commit/d370f976a7b0c19d502aadbaa0f93eb90c2a6ffa\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view\", \"name\": \"https://drive.google.com/file/d/10exp_BS9kRKHrFSPjiA_ZYUVJbHN8doW/view\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user\\u2019s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-248\", \"description\": \"CWE-248: Uncaught Exception\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-13T22:46:30.217Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-55194\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-14T14:51:03.540Z\", \"dateReserved\": \"2025-08-08T21:55:07.963Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-13T22:46:30.217Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…