AZL-64296

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64296.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-64296

Upstream

CVE-2025-52968

Published

2025-06-23T15:15:29Z

Modified

2026-04-21T04:32:21.517141Z

Summary

CVE-2025-52968 affecting package xdg-utils 1.2.1-3

Details

xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-52968

Affected packages

Azure Linux:3 / xdg-utils

Package

Name: xdg-utils
Purl: pkg:rpm/azure-linux/xdg-utils

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.2.1-3

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64296.json"