Cyber Resilience

CVE-2025-58438

Critical

Published: 06 September 2025

Published
06 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0385 88.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58438 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a directory traversal flaw (CWE-22) in the internetarchive Python library and its command-line interface for Archive.org. In versions 5.5.0 and below, the File.download() method fails to sanitize user-supplied filenames or validate the resulting path, allowing sequences such as ../../../../ or illegal characters to cause writes outside the intended target directory. The issue affects all operating systems but is especially severe on Windows and carries a CVSS 4.0 score of 9.4.

An attacker who can influence the filename passed to download() can overwrite arbitrary files on the system, including critical system binaries or application configuration files. Successful exploitation may result in denial of service, privilege escalation, or remote code execution depending on the privileges under which the library runs and the surrounding application context. No authentication or special network position is required beyond the ability to supply a malicious filename.

The vulnerability is fixed in release 5.5.1; the project has published both the correcting commit and an accompanying security advisory, while Debian has issued a corresponding LTS announcement for affected packages. The EPSS score has remained flat at 0.0385 with no material increase since disclosure.

EU & UK References

Vulnerability details

internetarchive is a Python and Command-Line Interface to Archive.org In versions 5.5.0 and below, there is a directory traversal (path traversal) vulnerability in the File.download() method of the internetarchive library. The file.download() method does not properly sanitize user-supplied filenames or…

more

validate the final download path. A maliciously crafted filename could contain path traversal sequences (e.g., ../../../../windows/system32/file.txt) or illegal characters that, when processed, would cause the file to be written outside of the intended target directory. An attacker could potentially overwrite critical system files or application configuration files, leading to a denial of service, privilege escalation, or remote code execution, depending on the context in which the library is used. The vulnerability is particularly critical for users on Windows systems, but all operating systems are affected. This issue is fixed in version 5.5.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Archive.org In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References