CVE-2025-23011 HIGH

CVE-2025-23011: Fedora Repository archive extraction path traversal

Vendor Fedora Repository

Product Fedora Repository

Weakness CWE-23

Published January 23, 2025

Last update February 6, 2025

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Fedora Repository 3.8.1 allows path traversal when extracting uploaded archives ("Zip Slip"). A remote, authenticated attacker can upload a specially crafted archive that will extract an arbitrary JSP file to a location that can be executed by an unauthenticated GET request. Fedora Repository 3.8.1 was released on 2015-06-11 and is no longer maintained. Migrate to a currently supported version (6.5.1 as of 2025-01-23).

Key dates

02Disclosure timeline

January 23, 2025 CVE published

February 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-23011

Related vulnerabilities

CVE-2025-23011: Fedora Repository archive extraction path traversal

01Description

02Disclosure timeline

03References

04Related CVE