CVE-2025-54433
Published: 30 July 2025
Summary
CVE-2025-54433 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Bugsink, a self-hosted error tracking service, is affected by a path traversal vulnerability (CWE-22) in versions 1.4.2 and earlier, 1.5.0–1.5.4, 1.6.0–1.6.3, and 1.7.0–1.7.3. The flaw resides in ingestion paths that construct file locations directly from untrusted event_id input without validation, enabling crafted values to escape the intended directory and overwrite or create files in arbitrary locations on the filesystem.
An attacker with a valid DSN can submit malicious event data to trigger the issue. In containerized deployments the impact remains limited to the container, while non-containerized installations allow the overwrite to affect other files accessible to the Bugsink process user, resulting in high integrity and availability consequences per the CVSS 7.2 rating.
The vulnerability is resolved in versions 1.4.3, 1.5.5, 1.6.4, and 1.7.4, with the fixes delivered through the referenced GitHub commits that add proper validation of event_id values before path construction.
EPSS remains flat at 0.0101 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23153
Vulnerability details
Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result…
more
in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.