CVE-2025-49588
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-07-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Linkwarden version 2.10.2 involves the server accepting links with the format file:///etc/passwd without validating them before processing with parsers and playwright. This lack of validation can lead to leaking other users' links and, in some cases, environment secrets. The issue was fixed in version 2.10.3.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of other users' bookmarked links and potentially sensitive environment secrets, which could compromise user privacy and system security.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Linkwarden to version 2.10.3 or later once it is publicly available, as this version contains the patch for the vulnerability. Until then, restrict access to the Linkwarden server to trusted users only and avoid processing untrusted links with the file:/// format to prevent potential information leaks.