CVE-2025-0509

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-0509
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-0509.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-0509
Aliases
Downstream
Related
Published
2025-02-04T20:15:49.763Z
Modified
2025-11-20T12:32:07.077793Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

References

Affected packages

Git / github.com/sparkle-project/sparkle

Affected ranges

Type
GIT
Repo
https://github.com/sparkle-project/sparkle
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0ef1ee0220239b3776f433314515fd849025673f

Affected versions

1.*

1.10.0
1.10.0rc1
1.11.0
1.11.0rc1
1.11.0rc2
1.11.1
1.12.0
1.12.0a1
1.12.0a2
1.12.0a3
1.12.0b1
1.13.0
1.13.1
1.13.1-mistagged
1.14.0
1.14.0rc1
1.14.0rc2
1.14.0rc3
1.15.0
1.15.0b1
1.15.0b2
1.15.0b3
1.15.1
1.16.0
1.16.0a1
1.16.0a2
1.16.0b1
1.17.0
1.17.0a1
1.17.0b1
1.18.0
1.18.0a1
1.18.0b2
1.18.1
1.19.0
1.19.0rc1
1.19.0rc2
1.19.1a1
1.19.1rc1
1.20.0
1.20.0b1
1.6.0
1.6.1
1.7.0
1.7.1
1.8.0
1.9.0
1.9.0rc1

2.*

2.0.0
2.0.0-beta.1
2.0.0-beta.2
2.0.0-beta.3
2.0.0-beta.4
2.0.0-beta.5
2.0.0-beta.6
2.0.0-rc.1
2.1.0
2.1.0-beta.1
2.1.0-beta.2
2.2.0
2.2.0-beta.1
2.2.0-beta.2
2.2.1
2.3.0
2.3.0-beta.1
2.3.0-beta.2
2.4.0
2.4.0-beta.1
2.4.0-beta.2
2.4.1
2.4.1-beta.1
2.4.2
2.5.0
2.5.0-beta.1
2.5.0-beta.2
2.5.1
2.5.2
2.6.0
2.6.0-beta.1
2.6.0-beta.2
2.6.1
2.6.2
2.6.3

sparkle-1.*

sparkle-1.5b1
sparkle-1.5b2
sparkle-1.5b3
sparkle-1.5b4
sparkle-1.5b5
sparkle-1.5b6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-0509.json"