CVE-2025-58438
Published: 06 September 2025
Summary
CVE-2025-58438 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.4 (Critical).
Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a directory traversal flaw (CWE-22) in the internetarchive Python library and its command-line interface for Archive.org. In versions 5.5.0 and below, the File.download() method fails to sanitize user-supplied filenames or validate the resulting path, allowing sequences such as ../../../../ or illegal characters to cause writes outside the intended target directory. The issue affects all operating systems but is especially severe on Windows and carries a CVSS 4.0 score of 9.4.
An attacker who can influence the filename passed to download() can overwrite arbitrary files on the system, including critical system binaries or application configuration files. Successful exploitation may result in denial of service, privilege escalation, or remote code execution depending on the privileges under which the library runs and the surrounding application context. No authentication or special network position is required beyond the ability to supply a malicious filename.
The vulnerability is fixed in release 5.5.1; the project has published both the correcting commit and an accompanying security advisory, while Debian has issued a corresponding LTS announcement for affected packages. The EPSS score has remained flat at 0.0385 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27084
Vulnerability details
internetarchive is a Python and Command-Line Interface to Archive.org In versions 5.5.0 and below, there is a directory traversal (path traversal) vulnerability in the File.download() method of the internetarchive library. The file.download() method does not properly sanitize user-supplied filenames or…
more
validate the final download path. A maliciously crafted filename could contain path traversal sequences (e.g., ../../../../windows/system32/file.txt) or illegal characters that, when processed, would cause the file to be written outside of the intended target directory. An attacker could potentially overwrite critical system files or application configuration files, leading to a denial of service, privilege escalation, or remote code execution, depending on the context in which the library is used. The vulnerability is particularly critical for users on Windows systems, but all operating systems are affected. This issue is fixed in version 5.5.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.