CVE-2025-58431 MEDIUM

CVE-2025-58431: ZimaOS reads arbitrary files using localhost calls to File API Download

Vendor Icewhaletech
Product ZimaOS
Weakness CWE-250
Published September 17, 2025
Last update September 17, 2025

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P

What the vulnerability does

01Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v2_1/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT.

Key dates

02Disclosure timeline

September 17, 2025 CVE published
September 17, 2025 Record updated