CVE-2025-35430 MEDIUM

CVE-2025-35430: CISA Thorium insecure downloaded file path validation

Vendor Cisa
Product Thorium
Weakness CWE-22 · Path traversal
Published September 17, 2025
Last update September 30, 2025

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

CISA Thorium does not adequately validate the paths of downloaded files via 'download_ephemeral' and 'download_children'. A remote, authenticated attacker could access arbitrary files subject to file system permissions. Fixed in 1.1.2.

Key dates

02Disclosure timeline

September 17, 2025 CVE published
September 30, 2025 Record updated