CVE-2025-58438
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-06

Last updated on: 2025-11-03

Assigner: GitHub, Inc.

Description
internetarchive is a Python and Command-Line Interface to Archive.org In versions 5.5.0 and below, there is a directory traversal (path traversal) vulnerability in the File.download() method of the internetarchive library. The file.download() method does not properly sanitize user-supplied filenames or validate the final download path. A maliciously crafted filename could contain path traversal sequences (e.g., ../../../../windows/system32/file.txt) or illegal characters that, when processed, would cause the file to be written outside of the intended target directory. An attacker could potentially overwrite critical system files or application configuration files, leading to a denial of service, privilege escalation, or remote code execution, depending on the context in which the library is used. The vulnerability is particularly critical for users on Windows systems, but all operating systems are affected. This issue is fixed in version 5.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-06
Last Modified
2025-11-03
Generated
2026-06-16
AI Q&A
2025-09-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-58438
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
internetarchive internetarchive 5.5.0
internetarchive internetarchive 5.5.1
internetarchive python-internetarchive 1.9.9-1+deb11u1
internetarchive python-internetarchive 1.9.9-1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58438 is a critical directory traversal vulnerability in the File.download() method of the internetarchive Python library (versions 5.5.0 and below). The method does not properly sanitize user-supplied filenames or validate the final download path, allowing an attacker to craft filenames with path traversal sequences (like ../../../../windows/system32/file.txt) or illegal characters. This can cause files to be written outside the intended directory, potentially overwriting critical system or application files. [1, 3]

Impact Analysis

Exploitation of this vulnerability can lead to overwriting critical system or application configuration files, which may cause denial of service, privilege escalation, or remote code execution depending on how the library is used. The risk is especially high for Windows users but affects all operating systems. [1, 3]

Detection Guidance

This vulnerability can be detected by checking if the internetarchive library version in use is 5.5.0 or below, as these versions are vulnerable. There are no specific network detection commands provided. To detect exploitation attempts, you could monitor for unexpected file writes outside the intended download directory, especially files with suspicious path traversal patterns like '../../' sequences in filenames. However, no explicit commands or detection tools are provided in the resources. [1, 3]

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade the internetarchive library to version 5.5.1 or later, where the issue is fixed. This update includes automatic filename sanitization and path resolution checks that prevent directory traversal attacks. If upgrading is not immediately possible, a custom download function that sanitizes filenames and verifies paths could be implemented, but this is not recommended as it replicates the patch. No other direct workarounds exist. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart