CVE-2025-59334
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-10-08

Assigner: GitHub, Inc.

Description
Linkr is a lightweight file delivery system that downloads files from a webserver. Linkr versions through 2.0.0 do not verify the integrity or authenticity of .linkr manifest files before using their contents, allowing a tampered manifest to inject arbitrary file entries into a package distribution. An attacker can modify a generated .linkr manifest (for example by adding a new entry with a malicious URL) and when a user runs the extract command the client downloads the attacker-supplied file without verification. This enables arbitrary file injection and creates a potential path to remote code execution if a downloaded malicious binary or script is later executed. Version 2.0.1 adds a manifest integrity check that compares the checksum of the original author-created manifest to the one being extracted and aborts on mismatch, warning if no original manifest is hosted. Users should update to 2.0.1 or later. As a workaround prior to updating, use only trusted .linkr manifests, manually verify manifest integrity, and host manifests on trusted servers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-10-08
Generated
2026-06-16
AI Q&A
2025-09-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59334
EUVD
EUVD-2025-29625
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mohammadzain2008 linkr to 2.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Linkr versions up to 2.0.0, where the software does not verify the integrity or authenticity of .linkr manifest files before using them. An attacker can tamper with a manifest by adding malicious file entries, causing the client to download and potentially execute harmful files. This can lead to arbitrary file injection and possibly remote code execution if the malicious files are run. The issue arises from lack of manifest checksum verification, allowing attackers to modify manifests without detection. Version 2.0.1 fixes this by adding a manifest integrity check that compares the checksum of the manifest being extracted with the original author-created manifest, aborting extraction if they don't match. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to inject arbitrary malicious files into Linkr package distributions. When you extract these packages, the client downloads the attacker-supplied files without verifying their authenticity. If you then execute these malicious binaries or scripts, it can lead to remote code execution on your system, compromising confidentiality, integrity, and availability of your data and system. This can result in system compromise, data breaches, or service disruption. [1]

Detection Guidance

This vulnerability can be detected by verifying the integrity of .linkr manifest files before extraction. Specifically, you can use the Linkr tool's extract command in version 2.0.1 or later, which performs a manifest integrity check by comparing the SHA-256 checksum of the local manifest against the original manifest hosted on trusted servers. If the checksums mismatch, extraction is aborted and a warning is issued. Prior to updating, manual verification of manifest integrity is required by comparing checksums of the local and trusted remote manifests. There are no explicit commands provided in the resources, but using the Linkr extractor with integrity verification enabled (version 2.0.1+) is the recommended method. [1, 2]

Mitigation Strategies

Immediate mitigation steps include updating Linkr to version 2.0.1 or later, which includes a manifest integrity check that aborts extraction if the manifest checksum does not match the original. Until you can update, only use .linkr manifests from trusted sources, manually verify manifest integrity by comparing checksums, and host manifests on trusted servers to prevent tampering. Avoid extracting manifests from untrusted or unknown sources to reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59334. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart