CVE-2025-52968
BaseFortify
Publication date: 2025-06-23
Last updated on: 2025-06-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-420 | The product protects a primary channel, but it does not use the same level of protection for an alternate channel. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52968 is a security issue in the xdg-open command used to open URLs in the system's default browser. When xdg-open launches a browser to open a URL, it treats the navigation as if the user manually typed the URL, causing SameSite=Strict cookies to be sent with the request. Normally, these cookies are excluded during in-browser navigation to prevent CSRF attacks. This behavior allows attackers to exploit CSRF vulnerabilities by sending requests with these cookies when links are opened via xdg-open, which weakens security compared to direct browser navigation. [1]
How can this vulnerability impact me? :
This vulnerability can enable Cross-Site Request Forgery (CSRF) attacks by allowing malicious links opened through xdg-open to send SameSite=Strict cookies with requests. This can lead to unauthorized actions being performed on behalf of a user without their consent, especially when external applications like email clients open untrusted links using xdg-open. As a result, attackers may exploit this to compromise user sessions or perform actions that should have been protected by browser cookie policies. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring whether xdg-open is used to open URLs that result in requests containing SameSite=Strict cookies, which normally should not be sent. Since the vulnerability arises from the behavior of xdg-open launching browsers with URLs treated as manually typed, you can detect suspicious usage by auditing calls to xdg-open and inspecting network traffic for requests that include SameSite=Strict cookies unexpectedly. Specific commands are not provided in the resources, but you might use system auditing tools to log invocations of xdg-open and network monitoring tools (e.g., tcpdump or Wireshark) to capture HTTP requests and check for SameSite=Strict cookies being sent. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating browsers to versions that support an "untrusted" mode or flag for opening external URLs, which prevents sending SameSite=Strict cookies in such contexts. Additionally, updating xdg-open to versions that can pass this "untrusted" context to browsers is recommended. Desktop environments and applications should be configured or updated to invoke xdg-open with this "untrusted" option when opening URLs from untrusted origins. Since no specific remediation has been finalized yet, monitoring updates from Linux distribution security teams and the oss-security mailing list is advised. [1]