CVE-2025-70085

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-70085

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70085.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-70085

Published

2026-02-11T18:16:06.600Z

Modified

2026-02-25T01:31:05.057220Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in OpenSatKit 2.2.1. The EventErrStr buffer has a fixed size of 256 bytes. The code uses sprintf to format two filenames (Source1Filename and the string returned by FileUtilFileStateStr) into this buffer without any length checking and without using bounded format specifiers such as %.*s. If the filename length approaches OSMAXPATHLEN (commonly 64-256 bytes), the combined formatted string together with constant text can exceed 256 bytes, resulting in a stack buffer overflow. Such unsafe sprintf calls are scattered across multiple functions in file.c, including FILE_ConcatenateCmd() and ConcatenateFiles(), all of which fail to validate the output length.

References

Affected packages

Git / github.com/opensatkit/opensatkit

Affected ranges

Type: GIT
Repo: https://github.com/opensatkit/opensatkit
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0c8d552dd0585a00593c08717845267d979a4951

Affected versions

V1.*

V1.2

v1.*

v1.0

v1.1

v1.6

v1.7

v1.7.1

v2.*

v2.0

v2.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70085.json"