CVE-2025-55194
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-08-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| part-db_project | part-db | to 1.17.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Part-DB allows any authenticated user to upload a profile picture with a misleading file extension (such as .jpg.txt). When the system attempts to view or edit that user's profile, it triggers a persistent 500 Internal Server Error, making the profile permanently inaccessible through the user interface for both users and administrators. This results in a Denial of Service (DoS) within the user management interface.
How can this vulnerability impact me? :
The vulnerability can cause a Denial of Service (DoS) in the user management interface by making affected user profiles permanently inaccessible via the UI. This can disrupt normal operations, prevent profile management, and potentially hinder administrative tasks related to user accounts.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Part-DB to version 1.17.3 or later, where this vulnerability has been patched. Until the upgrade, restrict authenticated users from uploading profile pictures with misleading file extensions (e.g., .jpg.txt) to prevent triggering the persistent 500 Internal Server Error and resulting Denial of Service.