CVE-2025-54141 HIGH

CVE-2025-54141: ViewVC's standalone server exposes arbitrary server filesystem content

Vendor Viewvc
Product viewvc
Weakness CWE-22 · Path traversal
Published July 22, 2025
Last update July 23, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.

Key dates

02Disclosure timeline

July 22, 2025 CVE published
July 23, 2025 Record updated