CVE-2025-35436
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-17

Last updated on: 2025-12-19

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
CISA Thorium uses '.unwrap()' to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially crafted email address or response. Fixed in commit 6a65a27.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-17
Last Modified
2025-12-19
Generated
2026-06-22
AI Q&A
2025-09-17
EPSS Evaluated
2026-06-21
NVD
CVE-2025-35436
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cisa thorium to 1.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because CISA Thorium uses the '.unwrap()' function to handle errors related to account verification email messages. An unauthenticated remote attacker can exploit this by providing a specially crafted email address or response, which causes the application to crash.

Impact Analysis

The impact of this vulnerability is a denial of service, as an attacker can cause the application to crash remotely without authentication by sending specially crafted input. This could disrupt service availability.

Mitigation Strategies

To mitigate this vulnerability, update CISA Thorium to the fixed version that includes commit 6a65a27 which addresses the issue with '.unwrap()' handling in account verification email messages. Avoid using unpatched versions and monitor for any crashes caused by specially crafted email addresses.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-35436. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart