CVE-2025-67819
- Source
- https://cve.org/CVERecord?id=CVE-2025-67819
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67819.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-67819
- Aliases
- Downstream
- Published
- 2025-12-12T17:15:45.697Z
- Modified
- 2026-03-13T03:42:59.461750Z
- Severity
-
- 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity" state and the FileReplicationService is reachable can read arbitrary files accessible to the service process.
- References
Affected packages
Git / github.com/weaviate/weaviate
Affected ranges
- Type
- GIT
- Repo
- https://github.com/weaviate/weaviate
- Events
-
IntroducedLast affectedIntroducedLast affectedIntroducedLast affectedIntroducedLast affected
- Database specific
{ "versions": [ { "introduced": "1.30.0" }, { "last_affected": "1.30.19" }, { "introduced": "1.31.0" }, { "last_affected": "1.31.18" }, { "introduced": "1.32.0" }, { "last_affected": "1.32.15" }, { "introduced": "1.33.0" }, { "last_affected": "1.33.3" } ] }
Affected versions
v1.*
v1.26.18
v1.27.17
v1.27.18
v1.27.19
v1.27.20
v1.27.21
v1.27.22
v1.27.23
v1.27.24
v1.27.25
v1.27.26
v1.27.27
v1.28.12
v1.28.13
v1.28.14
v1.28.15
v1.28.16
v1.29.10
v1.29.11
v1.29.3
v1.29.4
v1.29.5
v1.29.6
v1.29.7
v1.29.8
v1.29.9
v1.30.0
v1.30.1
v1.30.10
v1.30.11
v1.30.12
v1.30.13
v1.30.14
v1.30.15
v1.30.16
v1.30.17
v1.30.18
v1.30.19
v1.30.2
v1.30.3
v1.30.4
v1.30.5
v1.30.6
v1.30.7
v1.30.8
v1.30.9