CVE-2025-59334
BaseFortify
Publication date: 2025-09-16
Last updated on: 2025-10-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mohammadzain2008 | linkr | to 2.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Linkr versions up to 2.0.0, where the software does not verify the integrity or authenticity of .linkr manifest files before using them. An attacker can tamper with a manifest by adding malicious file entries, causing the client to download and potentially execute harmful files. This can lead to arbitrary file injection and possibly remote code execution if the malicious files are run. The issue arises from lack of manifest checksum verification, allowing attackers to modify manifests without detection. Version 2.0.1 fixes this by adding a manifest integrity check that compares the checksum of the manifest being extracted with the original author-created manifest, aborting extraction if they don't match. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject arbitrary malicious files into Linkr package distributions. When you extract these packages, the client downloads the attacker-supplied files without verifying their authenticity. If you then execute these malicious binaries or scripts, it can lead to remote code execution on your system, compromising confidentiality, integrity, and availability of your data and system. This can result in system compromise, data breaches, or service disruption. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying the integrity of .linkr manifest files before extraction. Specifically, you can use the Linkr tool's extract command in version 2.0.1 or later, which performs a manifest integrity check by comparing the SHA-256 checksum of the local manifest against the original manifest hosted on trusted servers. If the checksums mismatch, extraction is aborted and a warning is issued. Prior to updating, manual verification of manifest integrity is required by comparing checksums of the local and trusted remote manifests. There are no explicit commands provided in the resources, but using the Linkr extractor with integrity verification enabled (version 2.0.1+) is the recommended method. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Linkr to version 2.0.1 or later, which includes a manifest integrity check that aborts extraction if the manifest checksum does not match the original. Until you can update, only use .linkr manifests from trusted sources, manually verify manifest integrity by comparing checksums, and host manifests on trusted servers to prevent tampering. Avoid extracting manifests from untrusted or unknown sources to reduce risk. [1]