CVE-2025-32779

Source
https://cve.org/CVERecord?id=CVE-2025-32779
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32779.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-32779
Aliases
  • GHSA-9v34-frgq-63mv
Published
2025-04-15T16:32:31.992Z
Modified
2026-04-12T15:36:23.570605Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
labsai/eddi Vulnerable to Path Traversal (Zip Slip) in ZIP Import Function
Details

E.D.D.I (Enhanced Dialog Driven Interface) is a middleware to connect and manage LLM API bots. In versions before 5.5.0, an attacker with access to the /backup/import API endpoint can write arbitrary files to locations outside the intended extraction directory due to a Zip Slip vulnerability. Although the application runs as a non-root user (185), limiting direct impact on system-level files, this vulnerability can still be exploited to overwrite application files (e.g., JAR libraries) owned by the application user. This overwrite can potentially lead to Remote Code Execution (RCE) within the application's context. This issue has been patched in version 5.5.0.

Database specific
{
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32779.json"
}
References

Affected packages

Git / github.com/labsai/EDDI

Affected ranges

Type
GIT
Repo
https://github.com/labsai/EDDI
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.5.0"
        }
    ]
}
Type
GIT
Repo
https://github.com/labsai/eddi
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

4.*
4.4.1
4.5.0
dev-4.*
dev-4.5.0

Database specific

vanir_signatures
[
    {
        "id": "CVE-2025-32779-0763d0d1",
        "target": {
            "file": "src/main/java/ai/labs/eddi/backup/impl/RestImportService.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/labsai/eddi/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "71317630867048679488837702755684909378",
                "45022368370679015690134347907907242894",
                "330544742860629425045431341170523080452",
                "206080835495421493518371610450478057058",
                "34280767254591096257860084785023345927",
                "49990083440183057145976009191972572994",
                "282797217103221705672407296789609579084",
                "145065410172996124607999919159754861408",
                "101767503940173081385500055321872559740",
                "316067006810577030108647933307015284566",
                "191871350338813077353074481621904024467",
                "256853744556895680618362400351058868145",
                "158708681802576272591530041317300489329",
                "329752314106902930068645410712959609640",
                "63190184231126783940586096852532649890",
                "119914102850402496872609903025625887510",
                "165609334727944644051079452084171450439",
                "307914337668715424294270514198181297387",
                "199637365418329468676329767427057768730",
                "88474325459183289203384255329469937176",
                "181311603958136170210444942308050687639",
                "326387301580368665782657700166854179246",
                "135478653040740256708170596559371643490",
                "106386626484285716866919060381062926443",
                "240620198281852278869563474923769756551",
                "181980170893764543021453589044941246024",
                "158347005854235568638403466443365741460",
                "50694043429243621926023456785653482608",
                "203848448518329920913006503833267898633",
                "120662084390693642980619132029131633735",
                "308066919016731142676547573276921046348",
                "236076022979205558544887112192091030589",
                "316789423666944892075131603532597200879",
                "131010132311465717356287645873276794752",
                "236852336336437901604259673590126215480",
                "163468254090531733872341077413987571338",
                "103181757323315552800972866461684039820",
                "198648871109715431422928278580253609665",
                "47726423539275320688767415872029944422",
                "204857486271734651719892049905132288060",
                "177673345335683638544343178125559763654",
                "105448046430216483571981492615492935425",
                "98628914522111493087243920083376954077",
                "64920002490857020376700600086715374439",
                "92789432320326795493859779316594059997",
                "71769547060855730086650697001836351045",
                "48319698945341927746525309034089536515",
                "172802206073379595959138720168550466379",
                "125714017982518039026742183356917288975",
                "159105284733090337611435705767559657161",
                "252413799335706469403541094377436163681",
                "5799055150323140957515631165138874254",
                "141654535431070087508463679436547781978",
                "97810010036543471243077293695386210247",
                "322524030635253338373828402252246609653",
                "18633492397049932289417505817146477978",
                "96154950314602212169475254613349838968",
                "324796077362282809561173562594069207084",
                "195522135153199272487842044381261336697",
                "325827425653484482809450423407018166696",
                "244575222496369980735071200840858529195",
                "295694172658276850217564080423260807517",
                "231679404902826328040477239239993858208",
                "189522207499402069294867896007738759342",
                "224856475194972150803200898194803548578",
                "7309288257857809781281905612980738132",
                "126740848142933766988638565096848948625",
                "306781867155689912877538937837455836366",
                "319247112222445785418579188254390950672",
                "232063628168477666914833836125030247275",
                "284041347458845948392346961437861761066",
                "333228141910891348215523120330399733687",
                "6914873788128615941864734139153996848",
                "216450947636606400674176373538998981930",
                "100759133075058144410342684121313802008",
                "57935127870167222812743515212388600081",
                "289236238026478177424479698856705429425",
                "168688013547603025259515923057250548460",
                "72640290157705452284076088236416332101",
                "170423154316123833849863691154630528512",
                "281198625874051166807714765082438364314",
                "142058297962718615085679767385196660107",
                "106386626484285716866919060381062926443",
                "110288282271437197038701890681890533296",
                "42864903493311457434238249920519356160",
                "75676777279238608369960542573178395058",
                "280136825298792570763628418689699294281",
                "305185180060308688097769559139524352417",
                "55442238902346776581422822370100432619",
                "76294146376743722063275767967672046894",
                "156141477716666172297204161466023772347",
                "50066484976329815337794395258349473415",
                "115061127123369016482433685161621358048",
                "56796255431503014887801778514425431248",
                "83390879041174501109717172764866382794",
                "21262466851300820669735275838763389459",
                "307180041318835023412132454163908810907",
                "6406273368199308079453857419416860697",
                "146688518431388213217146769938010376643",
                "78890925889372399309286760764664973911"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32779-0fdd62d0",
        "target": {
            "file": "src/main/java/ai/labs/eddi/backup/impl/ZipArchive.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/labsai/eddi/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "218693636473272369656824132274333554308",
                "154557316686528933832993269537127155578",
                "158683028069920274587790406368062376134",
                "92932804481614911319784269530125439958",
                "26689587374373670827395839708255558727",
                "298531840009484512763787597275958260566",
                "134376737937742059146601284854295354108",
                "324372809086060455267724085456957541437",
                "8703725388848064852453622035975561798",
                "74869546904475538469514749110311398194",
                "253527208040906690477243812876158471595",
                "216196758220918668711457030069603623847",
                "97689148730017881686979269364696796119",
                "41648684884450657576183319779930760700",
                "328256320372545028660821783325110216920",
                "135350996122252464532637347222254943866",
                "299526011758620156853655525739337100297",
                "223361508250316172802552579243620119547",
                "339267146654693441373295999959150734054",
                "220791602070032518638949185531634844773",
                "28710523318570405611413830875331241118",
                "339561521530111973967500532400455188295",
                "237973740121789137745378316905959890215",
                "6171516508782904326240276637898582917",
                "32360822807526866557297902829761309834",
                "162405851704312349325616390727606294371",
                "47147589985290275526048167129040115485",
                "23356737726570823622236568410500469619",
                "64923293621201810750815449974079002731",
                "109694426263077591475670481475381179224",
                "23468967448459174502641654108979029617",
                "142086013286159590502475462635458067843",
                "100804351706892299680291888394690421802",
                "260533022337860046327643152723043429963",
                "249315915248919830377101701480757988314",
                "173441769094582259213087705436847371794",
                "98193694264964513767280840252837249500",
                "34637366084965770544369543650973872063",
                "75409661213128112074594542993170138584",
                "75816293144464628261598219769273301008",
                "325583898155382461813992314746239512111",
                "325980462084736277160826266933406417160",
                "24709139786372222333953743565452171652",
                "311006334663637845340018839494589868880",
                "291108641275525970321992645852307493932",
                "160295066570915443990456343126927537741",
                "190531420929833728277011397831934295749",
                "9371582308135041265115591383491643460",
                "58099814317392959129549267187301682702",
                "132307555034333064808053397875548943395",
                "28836640543408802587976493436847711421",
                "195496498398396928414244835096276921400",
                "248762732990595023171031811166712926548",
                "86608901840054507357155367199310594919",
                "274134240940490433200132415097635343414",
                "2428622899256718374383367504524047352",
                "225684671453010792768057011493679526560",
                "125173553936961036206614337941725235031",
                "148465925371203767632033791130346379094",
                "211802211707993325896005251662497954085",
                "268289932027300284165742764816575005496",
                "257935598875441076929262465632703204248"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32779-12492dd1",
        "target": {
            "function": "importBot",
            "file": "src/main/java/ai/labs/eddi/backup/impl/RestImportService.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/labsai/eddi/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065",
        "signature_type": "Function",
        "digest": {
            "function_hash": "170235029497255835320362654095404900385",
            "length": 386.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32779-225742f4",
        "target": {
            "function": "unzip",
            "file": "src/main/java/ai/labs/eddi/backup/impl/ZipArchive.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/labsai/eddi/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065",
        "signature_type": "Function",
        "digest": {
            "function_hash": "270838164716090015932298739875038922413",
            "length": 531.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32779-4c00765a",
        "target": {
            "function": "parsePackage",
            "file": "src/main/java/ai/labs/eddi/backup/impl/RestImportService.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/labsai/eddi/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065",
        "signature_type": "Function",
        "digest": {
            "function_hash": "30220887300463892129364866405160560530",
            "length": 2293.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32779-7ee83a25",
        "target": {
            "function": "readResources",
            "file": "src/main/java/ai/labs/eddi/backup/impl/RestImportService.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/labsai/eddi/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065",
        "signature_type": "Function",
        "digest": {
            "function_hash": "170661427361577036702915137415505629741",
            "length": 1664.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32779-9cb67c1b",
        "target": {
            "function": "updateDocumentDescriptor",
            "file": "src/main/java/ai/labs/eddi/backup/impl/RestImportService.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/labsai/eddi/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065",
        "signature_type": "Function",
        "digest": {
            "function_hash": "20353631034692009852892560096829595527",
            "length": 726.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32779-ca3b05e3",
        "target": {
            "function": "importBotZipFile",
            "file": "src/main/java/ai/labs/eddi/backup/impl/RestImportService.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/labsai/eddi/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065",
        "signature_type": "Function",
        "digest": {
            "function_hash": "43681666246247741502630187460893460847",
            "length": 866.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32779-d18f4f41",
        "target": {
            "function": "writeZipFile",
            "file": "src/main/java/ai/labs/eddi/backup/impl/ZipArchive.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/labsai/eddi/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065",
        "signature_type": "Function",
        "digest": {
            "function_hash": "290344362823795884577540007329675844404",
            "length": 304.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32779-e1b31c66",
        "target": {
            "function": "addToZip",
            "file": "src/main/java/ai/labs/eddi/backup/impl/ZipArchive.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/labsai/eddi/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065",
        "signature_type": "Function",
        "digest": {
            "function_hash": "150329435343988104295078714748621850602",
            "length": 486.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-32779-ebee479a",
        "target": {
            "function": "extractFile",
            "file": "src/main/java/ai/labs/eddi/backup/impl/ZipArchive.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/labsai/eddi/commit/1e207d0e4f72a5a93920bc0f76cad53ffd8e7065",
        "signature_type": "Function",
        "digest": {
            "function_hash": "284798236632199595766781436213497007156",
            "length": 300.0
        },
        "deprecated": false
    }
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32779.json"
vanir_signatures_modified
"2026-04-12T15:36:23Z"