Cyber Resilience

CVE-2025-54433

High

Published: 30 July 2025

Published
30 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0101 77.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54433 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Bugsink, a self-hosted error tracking service, is affected by a path traversal vulnerability (CWE-22) in versions 1.4.2 and earlier, 1.5.0–1.5.4, 1.6.0–1.6.3, and 1.7.0–1.7.3. The flaw resides in ingestion paths that construct file locations directly from untrusted event_id input without validation, enabling crafted values to escape the intended directory and overwrite or create files in arbitrary locations on the filesystem.

An attacker with a valid DSN can submit malicious event data to trigger the issue. In containerized deployments the impact remains limited to the container, while non-containerized installations allow the overwrite to affect other files accessible to the Bugsink process user, resulting in high integrity and availability consequences per the CVSS 7.2 rating.

The vulnerability is resolved in versions 1.4.3, 1.5.5, 1.6.4, and 1.7.4, with the fixes delivered through the referenced GitHub commits that add proper validation of event_id values before path construction.

EPSS remains flat at 0.0101 with no material increase after disclosure.

EU & UK References

Vulnerability details

Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result…

more

in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References