CVE-2025-54071
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-07-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rommapp | romm | 4.0.0-beta.4 |
| rommapp | romm | 4.0.0-beta.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in RomM (ROM Manager) versions 4.0.0-beta.3 and below, where an authenticated arbitrary file write flaw is present in the /api/saves endpoint. It allows an attacker with at least viewer role or Scope.ASSETS_WRITE permission to write or modify files anywhere on the filesystem with user-supplied content, potentially leading to Remote Code Execution on the system.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with limited authenticated access to write arbitrary files anywhere on the system, which can lead to Remote Code Execution. This means the attacker could execute malicious code remotely, potentially compromising the entire system, stealing data, or disrupting services.
What immediate steps should I take to mitigate this vulnerability?
Upgrade RomM (ROM Manager) to version 4.0.0-beta.4 or later, as this version contains the fix for the arbitrary file write vulnerability in the /api/saves endpoint. Additionally, restrict access to users with viewer role or Scope.ASSETS_WRITE permission or above, and monitor for any unauthorized file modifications.