Cyber Resilience

CVE-2025-67819

Medium

Published: 12 December 2025

Published
12 December 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score v3.1 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0024 47.1th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67819 is a medium-severity Path Traversal (CWE-22) vulnerability in Weaviate Weaviate. Its CVSS base score is 4.9 (Medium).

Operationally, ranked at the 47.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Similarity Search; in the Privacy and Disclosure risk domain.

EU & UK References

Vulnerability details

An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity"…

more

state and the FileReplicationService is reachable can read arbitrary files accessible to the service process.

CWE(s)

AI Security AnalysisAI

AI Category
Similarity Search
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: weaviate

Related Threats

Affected Assets

weaviate
weaviate
1.30.0 — 1.30.19 · 1.31.0 — 1.31.18 · 1.32.0 — 1.32.15

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References