CVE-2025-54992
BaseFortify
Publication date: 2025-08-11
Last updated on: 2025-08-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| telstra | open_kilda | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an XML external entity (XXE) injection found in OpenKilda versions prior to 1.164.0. It allows unauthenticated attackers to exploit the OpenKilda UI by combining this XXE issue with another vulnerability (GHSL-2025-024) to exfiltrate information from the system where the UI is running. Essentially, attackers can gain access to sensitive information without needing to authenticate.
How can this vulnerability impact me? :
The vulnerability can lead to information disclosure, meaning attackers can access sensitive data from the OpenKilda instance running the UI without authentication. This could compromise the confidentiality of your system's data and potentially expose critical information to unauthorized parties.
What immediate steps should I take to mitigate this vulnerability?
Upgrade OpenKilda to version 1.164.0 or later, as this version contains the patch that fixes the XML external entity (XXE) injection vulnerability.