CVE-2025-55194 MEDIUM

CVE-2025-55194: Part-DB Persistent Denial of Service via Uncaught Exception from Misleading File Extension in Avatar Upload

Vendor Part-Db
Product Part-DB-server
Weakness CWE-248
Published August 13, 2025
Last update August 14, 2025

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user’s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3.

Key dates

02Disclosure timeline

August 13, 2025 CVE published
August 14, 2025 Record updated