CVE-2025-54433

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-54433

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54433.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-54433

Aliases

GHSA-q78p-g86f-jg6q

Published

2025-07-30T14:29:03.510Z

Modified

2025-12-05T10:19:53.951635Z

Severity

7.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Bugsink is vulnerable to Path Traversal attacks via event_id in ingestion

Details

Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted eventid input without validation. A specially crafted eventid can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54433.json"
}

References

Affected packages

Git / github.com/bugsink/bugsink

Affected ranges

Type

GIT

Repo

https://github.com/bugsink/bugsink

Events

Introduced

6ec220b3d2619866975c6f65bc3b266673928fc7

Fixed

ee1f4a94d819759bf2583d1adbe425fd3eb7bb48

Database specific

{
    "versions": [
        {
            "introduced": "1.7.0"
        },
        {
            "fixed": "1.7.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/bugsink/bugsink

Events

Introduced

b53b1c6ce2bd6f44d75d238f11fe1309ae342a3e

Fixed

bcc240f78125a065bf1e03084408dbe39dbabeb0

Database specific

{
    "versions": [
        {
            "introduced": "1.6.0"
        },
        {
            "fixed": "1.6.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/bugsink/bugsink

Events

Introduced

dd339f73de93fe6d5f92fd45f81504e2dcfd63a4

Fixed

5b0d0bba4480232c7f6e6493797cca385b93bb1b

Database specific

{
    "versions": [
        {
            "introduced": "1.5.0"
        },
        {
            "fixed": "1.5.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/bugsink/bugsink

Events

Introduced

Fixed

f3092091815add697e7e52bbe151adae35d69f5a

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.4.3"
        }
    ]
}

Affected versions

0.*

0.1.0

0.1.1

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.18

0.1.19

0.1.2

0.1.20

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.6.0

1.6.1

1.6.2

1.6.3