CVE-2025-35436

Sept. 18, 2025, 1:43 p.m.

6.9
Medium

Description

CISA Thorium uses '.unwrap()' to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially crafted email address or response. Fixed in commit 6a65a27.

Product(s) Impacted

Vendor Product Versions
Cisa
  • Thorium
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-248
Uncaught Exception
An exception is thrown from a function, but it is not caught.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a cisa thorium / / / / / / / /

References

https://github.com/mjcarson/thorium/commit/6a65a2711fb2387e8c3eacebc774053741bf5aeb
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json
https://www.cve.org/CVERecord?id=CVE-2025-35436

Tags

9119a7d8-5eab-497f-8521-727c672e3725
CWE-248
2025-09-17
CVE-2025-35436

CVSS Score

6.9 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: LOW
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Sept. 17, 2025, 5:15 p.m.
Last Modified: Sept. 18, 2025, 1:43 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

9119a7d8-5eab-497f-8521-727c672e3725

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.