CVE-2025-65112
BaseFortify
Publication date: 2025-11-29
Last updated on: 2025-12-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ricardoboss | pubnet | to 1.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PubNet versions prior to 1.1.3, where the /api/storage/upload endpoint allows unauthenticated users to upload packages by specifying arbitrary author-id values. This flaw enables attackers to spoof identities, escalate privileges, and conduct supply chain attacks by impersonating any user.
How can this vulnerability impact me? :
The vulnerability can lead to serious impacts including unauthorized package uploads under any user's identity, which can result in privilege escalation and supply chain attacks. This compromises the integrity and trustworthiness of the package repository, potentially allowing malicious code to be distributed to users.
What immediate steps should I take to mitigate this vulnerability?
Upgrade PubNet to version 1.1.3 or later, as this version contains the patch that fixes the vulnerability allowing unauthenticated package uploads and identity spoofing.