CVE-2025-64486
BaseFortify
Publication date: 2025-11-08
Last updated on: 2025-11-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kovidgoyal | calibre | 8.14.0 |
| kovidgoyal | calibre | 8.13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in calibre versions 8.13.0 and earlier, where the software does not validate filenames when processing binary assets in FB2 (FictionBook) files. An attacker can exploit this by crafting a malicious FB2 file that, when viewed or converted in calibre, allows arbitrary files to be written to the filesystem. This can lead to arbitrary code execution on the affected system. The issue is fixed in version 8.14.0.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to write arbitrary files to your filesystem and execute arbitrary code on your machine. This could lead to unauthorized control over your system, data compromise, or further attacks depending on the attacker's intent and the environment in which calibre is used.
What immediate steps should I take to mitigate this vulnerability?
Upgrade calibre to version 8.14.0 or later, as this version contains the fix for the vulnerability. Avoid opening or converting untrusted FB2 files until the upgrade is applied.