GHSA-8jf4-fcjr-68c2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8jf4-fcjr-68c2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-8jf4-fcjr-68c2/GHSA-8jf4-fcjr-68c2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8jf4-fcjr-68c2
- Aliases
- Published
- 2025-06-19T21:31:19Z
- Modified
- 2025-07-09T01:42:08.501513Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- Upsonic is vulnerable to Path Traversal attack through its os.path.join function
- Details
-
A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-07-09T01:00:21Z", "nvd_published_at": "2025-06-19T21:15:27Z", "cwe_ids": [ "CWE-22" ], "severity": "LOW" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-6278
- https://github.com/Upsonic/Upsonic/issues/356
- https://github.com/Upsonic/Upsonic/pull/360
- https://github.com/Upsonic/Upsonic/commit/a54529acc6e4bfe28f4f5c80c058144348a306b7
- https://github.com/Upsonic/Upsonic
- https://github.com/Upsonic/Upsonic/blob/v0.55.6/src/upsonic/server/markdown/server/server.py#L39
- https://github.com/pypa/advisory-database/tree/main/vulns/upsonic/PYSEC-2025-67.yaml
- https://vuldb.com/?ctiid.313282
- https://vuldb.com/?id.313282
- https://vuldb.com/?submit.593096
Affected packages
PyPI / upsonic
Package
- Name
- upsonic
- View open source insights on deps.dev
- Purl
- pkg:pypi/upsonic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.56.0
Affected versions
0.*
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.4.11
0.4.12
0.4.13
0.4.14
0.4.15
0.5.0
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.10.0
0.10.1
0.10.2
0.11.0
0.11.1
0.11.2
0.11.3
0.11.4
0.11.5
0.11.6
0.11.7
0.11.8
0.11.9
0.11.10
0.11.11
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.13.0
0.13.1
0.13.2
0.13.3
0.14.0
0.14.1
0.14.2
0.14.3
0.15.0
0.16.0
0.16.1
0.17.0
0.17.1
0.18.0
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.20.0
0.20.1
0.20.2
0.20.3
0.21.0
0.22.0
0.23.0
0.23.1
0.23.2
0.23.3
0.23.4
0.24.0
0.24.1
0.24.2
0.25.0
0.26.0
0.27.0
0.28.0
0.28.1
0.28.2
0.28.3
0.28.4
0.30.0
0.30.2
0.30.7
0.32.0
0.33.1
0.34.0
0.34.1
0.34.2
0.34.3
0.35.0a1736970242
0.35.0a1736970720
0.35.0a1736971149
0.35.0a1736971897
0.35.0a1736972885
0.35.0a1736974243
0.35.0a1736975119
0.35.0a1736976284
0.35.0a1736978167
0.35.0a1736979941
0.35.0a1736981630
0.35.0a1736982287
0.35.0a1736982640
0.35.0a1736983736
0.35.0a1736984772
0.35.0a1736986092
0.35.0a1737010781
0.35.0a1737010942
0.35.0a1737015222
0.35.0a1737016349
0.35.0a1737023679
0.35.0a1737033652
0.35.0a1737033931
0.35.0a1737034519
0.35.0a1737042503
0.35.0a1737042958
0.35.0a1737043600
0.35.0a1737044257
0.35.0a1737044843
0.35.0a1737045225
0.35.0a1737114840
0.35.0a1737114977
0.35.0a1737116875
0.35.0a1737117468
0.35.0a1737122839
0.35.0a1737195981
0.35.0a1737212799
0.35.0a1737217937
0.35.0a1737218956
0.35.0a1737227112
0.35.0a1737311492
0.35.0a1737315034
0.35.0a1737379903
0.36.0a1737396881
0.36.0a1737401408
0.36.0a1737407655
0.36.0a1737409215
0.36.0a1737410849
0.36.0a1737438831
0.36.0a1737457705
0.36.0a1737482268
0.36.0a1737482779
0.36.0a1737487622
0.36.0a1737496270
0.36.0a1737496729
0.36.0a1737498136
0.36.0a1737539419
0.36.0a1737542896
0.36.0a1737628376
0.36.0
0.37.0
0.38.0a1737809635
0.38.0
0.38.1a1738355936
0.38.1
0.39.0a1738407703
0.39.0a1738408485
0.39.0a1738409132
0.39.0a1738413952
0.39.0a1738417207
0.39.0
0.40.0
0.40.1a1738430067
0.40.1a1738431780
0.40.1
0.40.2
0.40.3
0.40.4a1738504324
0.40.4
0.40.5a1738608355
0.40.5a1738609512
0.40.5a1738609921
0.40.5a1738610310
0.40.5a1738610551
0.40.5
0.40.6a1738619561
0.40.6
0.40.7a1738837197
0.40.7a1738851334
0.40.7a1738858117
0.40.7a1738865999
0.40.7a1738874469
0.40.7
0.41.0a1738875992
0.41.0a1738913481
0.41.0a1738922922
0.41.0a1738942849
0.41.0a1738943864
0.41.0a1738947565
0.41.0a1738948334
0.41.0a1738949488
0.41.0a1738951496
0.41.0a1738961482
0.41.0a1739006911
0.41.0
0.41.1
0.42.0a1739015944
0.42.0a1739029428
0.42.0a1739042238
0.42.0a1739042985
0.42.0a1739044180
0.42.0a1739044629
0.42.0a1739047263
0.42.0a1739048896
0.42.0a1739050234
0.42.0a1739093954
0.42.0a1739099062
0.42.0
0.43.0a1739106873
0.43.0a1739383942
0.43.0a1739389035
0.43.0a1739429679
0.43.0
0.44.0a1739451866
0.44.0a1739565955
0.44.0
0.44.1a1739799852
0.44.1a1739881595
0.44.1a1739897729
0.44.1a1739899475
0.44.1a1739904268
0.44.1a1739905596
0.44.1a1739908048
0.44.1a1739909460
0.44.1a1739912278
0.44.1a1739949863
0.44.1a1739953863
0.44.1a1739958116
0.44.1a1739969973
0.44.1a1739983135
0.44.1
0.44.2a1740050593
0.44.2a1740071168
0.44.2a1740084271
0.44.2a1740085443
0.44.2a1740085570
0.44.2
0.45.0
0.45.1
0.45.2
0.45.3
0.45.4
0.46.0
0.46.1
0.47.0
0.47.1
0.47.2
0.47.3
0.47.4
0.47.5a1741824272
0.47.5a1741825046
0.47.5a1741825731
0.47.5a1741826544
0.47.5
0.48.0
0.49.0a1742393199
0.49.0a1742655039
0.49.0a1742657799
0.49.0a1742658030
0.49.0
0.50.0a1742865563
0.50.0a1742876514
0.50.0a1742886287
0.50.0a1742907455
0.50.0a1742975161
0.50.0
0.50.1
0.50.2
0.50.3
0.50.4a1743070636
0.50.4
0.50.5
0.51.0
0.51.1
0.51.2
0.52.0
0.52.1a1744119894
0.52.1
0.52.2
0.52.3a1744217583
0.52.3
0.52.4
0.53.0
0.53.1
0.54.0
0.55.0
0.55.1
0.55.2
0.55.3
0.55.4
0.55.5
0.55.6a1748524485
0.55.6a1748537170
0.55.6a1748538406
0.55.6a1748538717
0.55.6a1748545381
0.55.6a1748787282
0.55.6a1748962305
0.55.6a1749087129
0.55.6a1749087663
0.55.6a1749164000
0.55.6a1749165639
0.55.6a1749248294
0.55.6