CVE-2025-58060

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, when the AuthType is set to anything but Basic, if the request contains an Authorization: Basic ... header, the password is not checked. This results in authentication bypass. Any configuration that allows an AuthType that is not Basic is affected. Version 2.4.13 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-287"
    ]
}

References

Affected packages

Git / github.com/openprinting/cups

Affected ranges

Type: GIT
Repo: https://github.com/openprinting/cups
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

eee59dd0b55a0b11b80bda6ca437d60fee5faa09

Affected versions

v2.*

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2b1

v2.2b2

v2.2rc1

v2.3.0

v2.3.1

v2.3.3

v2.3.3op1

v2.3.3op2

v2.3b1

v2.3b2

v2.3b3

v2.3b4

v2.3b5

v2.3b6

v2.3b7

v2.3b8

v2.3rc1

v2.4.0

v2.4.1

v2.4.10

v2.4.11

v2.4.12

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.4b1

v2.4rc1

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/openprinting/cups/commit/eee59dd0b55a0b11b80bda6ca437d60fee5faa09",
        "target": {
            "file": "cups/cups.h"
        },
        "id": "CVE-2025-58060-a39766a3",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "273716230938177953313785311992748259673",
                "92386521260343005417693861735643589009",
                "107158546563069763322274401735430584915",
                "157108054365630463462527904057947491688",
                "64681268632403199256611162265020830067",
                "178325614230891376260217678751698712977",
                "310692027295275001078364988996233046806"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line"
    }
]