CVE-2025-8454
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-01

Last updated on: 2025-08-06

Assigner: Debian GNU/Linux

Description
It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-01
Last Modified
2025-08-06
Generated
2026-05-27
AI Q&A
2025-08-01
EPSS Evaluated
2026-05-25
NVD
CVE-2025-8454
EUVD
EUVD-2025-23342
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
debian devscripts 2.25.15
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability is in uscan, a tool used to monitor upstream sources for new software releases, which is part of devscripts. It skips OpenPGP verification for files that have already been downloaded, even if a previous verification failed. This means that potentially unverified or tampered files could be accepted without proper security checks.


How can this vulnerability impact me? :

This vulnerability can lead to the acceptance of files that have not been properly verified for authenticity and integrity. As a result, it could allow malicious or corrupted files to be used, potentially compromising the security of the software package or system relying on these files.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart