CVE-2025-35436
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-12-19
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisa | thorium | to 1.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because CISA Thorium uses the '.unwrap()' function to handle errors related to account verification email messages. An unauthenticated remote attacker can exploit this by providing a specially crafted email address or response, which causes the application to crash.
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service, as an attacker can cause the application to crash remotely without authentication by sending specially crafted input. This could disrupt service availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update CISA Thorium to the fixed version that includes commit 6a65a27 which addresses the issue with '.unwrap()' handling in account verification email messages. Avoid using unpatched versions and monitor for any crashes caused by specially crafted email addresses.