CVE-2025-54433
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-30

Last updated on: 2025-07-31

Assigner: GitHub, Inc.

Description
Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-30
Last Modified
2025-07-31
Generated
2026-05-07
AI Q&A
2025-07-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54433
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
bugsink bugsink 1.7.4
bugsink bugsink <1.4.3
bugsink bugsink 1.5.5
bugsink bugsink 1.4.3
bugsink bugsink 1.6.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Bugsink, a self-hosted error tracking service, where certain versions construct file paths directly from untrusted event_id input without validation. This allows an attacker who can submit a specially crafted event_id (requiring access to a valid DSN) to cause file overwrite or creation outside the intended directory. If Bugsink runs in a container, the impact is limited to the container's filesystem; otherwise, it may affect other parts of the system accessible to the user running Bugsink. The issue is fixed in versions 1.4.3, 1.5.5, 1.6.4, and 1.7.4.


How can this vulnerability impact me? :

This vulnerability can allow an attacker with access to a valid DSN to overwrite or create files in arbitrary locations on the system where Bugsink is running. In containerized environments, the impact is confined to the container's filesystem, but in non-containerized setups, it could affect other parts of the system accessible to the user running Bugsink. This could lead to unauthorized modification or creation of files, potentially compromising system integrity or availability.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Bugsink to a fixed version: 1.4.3, 1.5.5, 1.6.4, or 1.7.4 or later. If running Bugsink in a container, ensure container isolation is properly configured to limit filesystem impact. Restrict access to valid DSNs to prevent unauthorized submission of crafted event_id inputs.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart