CVE-2025-58438
BaseFortify
Publication date: 2025-09-06
Last updated on: 2025-11-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internetarchive | internetarchive | 5.5.0 |
| internetarchive | internetarchive | 5.5.1 |
| internetarchive | python-internetarchive | 1.9.9-1+deb11u1 |
| internetarchive | python-internetarchive | 1.9.9-1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58438 is a critical directory traversal vulnerability in the File.download() method of the internetarchive Python library (versions 5.5.0 and below). The method does not properly sanitize user-supplied filenames or validate the final download path, allowing an attacker to craft filenames with path traversal sequences (like ../../../../windows/system32/file.txt) or illegal characters. This can cause files to be written outside the intended directory, potentially overwriting critical system or application files. [1, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to overwriting critical system or application configuration files, which may cause denial of service, privilege escalation, or remote code execution depending on how the library is used. The risk is especially high for Windows users but affects all operating systems. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the internetarchive library version in use is 5.5.0 or below, as these versions are vulnerable. There are no specific network detection commands provided. To detect exploitation attempts, you could monitor for unexpected file writes outside the intended download directory, especially files with suspicious path traversal patterns like '../../' sequences in filenames. However, no explicit commands or detection tools are provided in the resources. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to upgrade the internetarchive library to version 5.5.1 or later, where the issue is fixed. This update includes automatic filename sanitization and path resolution checks that prevent directory traversal attacks. If upgrading is not immediately possible, a custom download function that sanitizes filenames and verifies paths could be implemented, but this is not recommended as it replicates the patch. No other direct workarounds exist. [1, 2, 3]