CVE-2025-0509

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

References

Affected packages

Git / github.com/sparkle-project/Sparkle

Affected ranges

Type

GIT

Repo

https://github.com/sparkle-project/Sparkle

Events

Introduced

Fixed

0ef1ee0220239b3776f433314515fd849025673f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.6.4"
        }
    ]
}

Affected versions

1.*

1.10.0

1.10.0rc1

1.11.0

1.11.0rc1

1.11.0rc2

1.11.1

1.12.0

1.12.0a1

1.12.0a2

1.12.0a3

1.12.0b1

1.13.0

1.13.1

1.13.1-mistagged

1.14.0

1.14.0rc1

1.14.0rc2

1.14.0rc3

1.15.0

1.15.0b1

1.15.0b2

1.15.0b3

1.15.1

1.16.0

1.16.0a1

1.16.0a2

1.16.0b1

1.17.0

1.17.0a1

1.17.0b1

1.18.0

1.18.0a1

1.18.0b2

1.18.1

1.19.0

1.19.0rc1

1.19.0rc2

1.19.1a1

1.19.1rc1

1.20.0

1.20.0b1

1.6.0

1.6.1

1.7.0

1.7.1

1.8.0

1.9.0

1.9.0rc1

2.*

2.0.0

2.0.0-beta.1

2.0.0-beta.2

2.0.0-beta.3

2.0.0-beta.4

2.0.0-beta.5

2.0.0-beta.6

2.0.0-rc.1

2.1.0

2.1.0-beta.1

2.1.0-beta.2

2.2.0

2.2.0-beta.1

2.2.0-beta.2

2.2.1

2.3.0

2.3.0-beta.1

2.3.0-beta.2

2.4.0

2.4.0-beta.1

2.4.0-beta.2

2.4.1

2.4.1-beta.1

2.4.2

2.5.0

2.5.0-beta.1

2.5.0-beta.2

2.5.1

2.5.2

2.6.0

2.6.0-beta.1

2.6.0-beta.2

2.6.1

2.6.2

2.6.3

sparkle-1.*

sparkle-1.5b1

sparkle-1.5b2

sparkle-1.5b3

sparkle-1.5b4

sparkle-1.5b5

sparkle-1.5b6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-0509.json"