CVE-2025-49809

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-49809
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49809.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49809
Downstream
Published
2025-07-04T13:15:25.780Z
Modified
2026-04-12T17:14:05.219164Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

mtr through 0.95, in certain privileged contexts, mishandles execution of a program specified by the MTR_PACKET environment variable. NOTE: mtr on macOS may often have Sudo rules, as an indirect consequence of Homebrew not installing setuid binaries.

References

Affected packages

Git / github.com/traviscross/mtr

Affected ranges

Type
GIT
Repo
https://github.com/traviscross/mtr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
852e5617fbf331cf292723702161f0ac9afe257c
Fixed
5226f105f087c29d3cfad9f28000e7536af91ac6
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.95"
        }
    ]
}

Affected versions

v0.*
v0.21
v0.22
v0.23
v0.24
v0.25
v0.26
v0.27
v0.28
v0.29
v0.30
v0.31
v0.32
v0.33
v0.34
v0.35
v0.36
v0.37
v0.38
v0.39
v0.40
v0.41
v0.42
v0.43
v0.44
v0.45
v0.46
v0.47
v0.48
v0.49
v0.50
v0.51
v0.52
v0.53
v0.54
v0.55
v0.56
v0.57
v0.58
v0.59
v0.60
v0.61
v0.62
v0.63
v0.64
v0.65
v0.66
v0.67
v0.68
v0.69
v0.70
v0.71
v0.72
v0.73
v0.74
v0.75
v0.76
v0.77
v0.78
v0.79
v0.80
v0.81
v0.82
v0.83
v0.84
v0.85
v0.86
v0.87
v0.89
v0.90
v0.91
v0.92
v0.93
v0.94
v0.95

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49809.json"
vanir_signatures_modified 
"2026-04-12T17:14:05Z"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 407.0,
            "function_hash": "16681652394113277516413135706669081176"
        },
        "source": "https://github.com/traviscross/mtr/commit/5226f105f087c29d3cfad9f28000e7536af91ac6",
        "id": "CVE-2025-49809-00c57bbc",
        "signature_type": "Function",
        "target": {
            "function": "execute_packet_child",
            "file": "ui/cmdpipe.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "130744738294911149449444688609472423814",
                "207690493451596768604615775247653891974",
                "86347291717152951334573659812183436400",
                "34455552396450669374438520084853887900",
                "337414420153026760151935062012137024733",
                "197503224174811713144348401540890049053",
                "23844163115196803930372778515719621117"
            ]
        },
        "source": "https://github.com/traviscross/mtr/commit/5226f105f087c29d3cfad9f28000e7536af91ac6",
        "id": "CVE-2025-49809-88cfc652",
        "signature_type": "Line",
        "target": {
            "file": "ui/cmdpipe.c"
        }
    }
]