CVE-2025-54433
CVE-2025-54433 is a high-severity vulnerability with a CVSS 4.0 base score of 7.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-22.
Key facts
- Severity: High (CVSS 4.0 base score 7.2)
- EPSS exploit prediction: 1% (41st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-23153
- Weakness: CWE-22
- Published:
- Last modified:
Description
Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4.
Frequently asked questions
- What is CVE-2025-54433?
- Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4.
- How severe is CVE-2025-54433?
- CVE-2025-54433 has a CVSS 4.0 base score of 7.2, rated high severity.
- Is CVE-2025-54433 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (41st percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-54433?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-54433 have an EU (EUVD) identifier?
- Yes. CVE-2025-54433 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-23153.
- When was CVE-2025-54433 published?
- CVE-2025-54433 was published on 2025-07-30 and last updated on 2026-06-17.
References
- https://github.com/bugsink/bugsink/commit/1001726f4389e982c486cdd5fa81941cb46cfc33
- https://github.com/bugsink/bugsink/commit/211ddf76758c808c095b5f836c363f148d934d21
- https://github.com/bugsink/bugsink/commit/2c41fbe3881bdea83399a7f9fdc8cff198ae089f
- https://github.com/bugsink/bugsink/commit/53cf1a17a3e96f7c83c7451fd56f980a09d0c9b0
- https://github.com/bugsink/bugsink/commit/55a155003d0b416ea008c5e7dcde85130ad21d9b
- https://github.com/bugsink/bugsink/commit/b94aa8a5c96ce8cdd9711b6beb4e518264993ac2
- https://github.com/bugsink/bugsink/commit/c341687bd655543730c812db35c29199f788be6b
- https://github.com/bugsink/bugsink/commit/c87217bd565122ba70af90436e3ab2cd9bee658f
- https://github.com/bugsink/bugsink/security/advisories/GHSA-q78p-g86f-jg6q
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…