CVE-2025-67819
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-67819
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67819.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-67819
- Aliases
- Downstream
- Published
- 2025-12-12T17:15:45.697Z
- Modified
- 2025-12-21T06:41:22.952062Z
- Severity
-
- 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity" state and the FileReplicationService is reachable can read arbitrary files accessible to the service process.
- References
Affected packages
Git / github.com/weaviate/weaviate
Affected ranges
- Type
- GIT
- Repo
- https://github.com/weaviate/weaviate
- Events
-
IntroducedLast affectedIntroducedLast affectedIntroducedLast affectedIntroducedLast affected
Affected versions
v1.*
v1.26.18
v1.27.17
v1.27.18
v1.27.19
v1.27.20
v1.27.21
v1.27.22
v1.27.23
v1.27.24
v1.27.25
v1.27.26
v1.27.27
v1.28.12
v1.28.13
v1.28.14
v1.28.15
v1.28.16
v1.29.10
v1.29.11
v1.29.3
v1.29.4
v1.29.5
v1.29.6
v1.29.7
v1.29.8
v1.29.9
v1.30.0
v1.30.1
v1.30.10
v1.30.11
v1.30.12
v1.30.13
v1.30.14
v1.30.15
v1.30.16
v1.30.17
v1.30.18
v1.30.19
v1.30.2
v1.30.3
v1.30.4
v1.30.5
v1.30.6
v1.30.7
v1.30.8
v1.30.9
v1.31.0
v1.31.1
v1.31.10
v1.31.11
v1.31.12
v1.31.13
v1.31.14
v1.31.15
v1.31.16
v1.31.17
v1.31.18
v1.31.2
v1.31.3
v1.31.4
v1.31.5
v1.31.6
v1.31.7
v1.31.8
v1.31.9
v1.32.11
v1.32.12
v1.32.13
v1.32.14
v1.32.15
v1.33.0
v1.33.1
v1.33.2
v1.33.3