CVE-2024-25711
Published: 27 February 2024
Summary
CVE-2024-25711 is a high-severity Path Traversal (CWE-22) vulnerability in Reproducible Builds Diffoscope. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Diffoscope versions prior to 256 contain a path traversal flaw (CWE-22) that occurs when processing GPG files containing embedded filenames. The tool trusts the value supplied to gpg --use-embedded-filenames, allowing an attacker-supplied archive to reference arbitrary paths such as ../.ssh/id_rsa. The issue received a CVSS 7.5 rating reflecting network-reachable disclosure without authentication.
An unauthenticated attacker can supply a crafted GPG file to any diffoscope invocation that processes untrusted input. Successful exploitation results in the contents of files readable by the diffoscope process being written to the output or console, enabling theft of private keys, configuration data, or other sensitive material on the analyzing host.
Fedora and Debian advisories direct users to update to diffoscope 256 or later; the fix is implemented in commit dfed7699 that stops honoring embedded filenames from GPG metadata. The associated EPSS score has remained flat at 0.0526 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0035
Vulnerability details
diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.