CVE-2025-54433

July 31, 2025, 6:42 p.m.

7.2
High

Description

Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4.

Product(s) Impacted

Vendor Product Versions
Bugsink
  • Bugsink
  • 1.4.2, 1.5.0-1.5.4, 1.6.0-1.6.3, 1.7.0-1.7.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a bugsink bugsink 1.4.2 / / / / / / /
a bugsink bugsink 1.5.0-1.5.4 / / / / / / /
a bugsink bugsink 1.6.0-1.6.3 / / / / / / /
a bugsink bugsink 1.7.0-1.7.3 / / / / / / /

References

https://github.com/bugsink/bugsink/commit/1001726f4389e982c486cdd5fa81941cb46cfc33
https://github.com/bugsink/bugsink/commit/211ddf76758c808c095b5f836c363f148d934d21
https://github.com/bugsink/bugsink/commit/2c41fbe3881bdea83399a7f9fdc8cff198ae089f
https://github.com/bugsink/bugsink/commit/53cf1a17a3e96f7c83c7451fd56f980a09d0c9b0
https://github.com/bugsink/bugsink/commit/55a155003d0b416ea008c5e7dcde85130ad21d9b
https://github.com/bugsink/bugsink/commit/b94aa8a5c96ce8cdd9711b6beb4e518264993ac2
https://github.com/bugsink/bugsink/commit/c341687bd655543730c812db35c29199f788be6b
https://github.com/bugsink/bugsink/commit/c87217bd565122ba70af90436e3ab2cd9bee658f
https://github.com/bugsink/bugsink/security/advisories/GHSA-q78p-g86f-jg6q

Tags

security-advisories@github.com
CWE-22
2025-07-30
CVE-2025-54433

CVSS Score

7.2 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: July 30, 2025, 3:15 p.m.
Last Modified: July 31, 2025, 6:42 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.