Platform
java
Component
migration-utils
Fixed in
3.8.2
CVE-2025-23011 describes a Path Traversal vulnerability within the Fedora Repository software. This flaw allows a remote, authenticated attacker to upload a specially crafted archive, resulting in the extraction of arbitrary files and potential remote code execution. The vulnerability impacts versions 0 through 3.8.1 of Fedora Repository, which is no longer actively maintained. Mitigation involves migrating to a supported version, such as 6.5.1.
The primary impact of CVE-2025-23011 is the potential for remote code execution (RCE). An attacker can exploit this vulnerability by crafting a malicious archive (often referred to as a "Zip Slip") and uploading it to the Fedora Repository. Upon extraction, the archive will place arbitrary files, specifically JSP files, into locations accessible via unauthenticated GET requests. This allows the attacker to execute arbitrary code on the server hosting the Fedora Repository, effectively gaining control of the system. The blast radius extends to any data stored or processed by the repository, as an attacker could potentially access sensitive information or modify configurations.
CVE-2025-23011 was published on January 23, 2025. While no public exploits have been widely reported, the "Zip Slip" vulnerability pattern is well-understood and has been exploited in other contexts. The EPSS score is likely medium, indicating a moderate probability of exploitation given the vulnerability's severity and the availability of techniques to exploit path traversal flaws. No KEV listing is currently available.
Exploit Status
EPSS
2.09% (84% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-23011 is to upgrade to a supported version of Fedora Repository, specifically 6.5.1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the nature of archive extraction, strict input validation on uploaded files can help prevent malicious archives from being processed. Specifically, restrict the types of files allowed for upload and implement robust file integrity checks. After upgrading, verify the fix by attempting to upload a known malicious archive and confirming that it fails to extract files outside of the intended directory.
Actualice Fedora Repository a la versión 6.5.1 o superior. Esta versión corrige la vulnerabilidad de path traversal al extraer archivos. Se recomienda migrar a una versión soportada lo antes posible.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-23011 is a Path Traversal vulnerability affecting Fedora Repository versions 0–3.8.1, allowing attackers to upload malicious archives and potentially execute code.
You are affected if you are using Fedora Repository versions 0 through 3.8.1. Upgrade to 6.5.1 or later to mitigate the risk.
The primary fix is to upgrade to Fedora Repository version 6.5.1 or a later supported version. Consider input validation as a temporary workaround.
While no widespread exploitation has been publicly confirmed, the vulnerability pattern is well-known, and exploitation is possible.
Refer to the Fedora Security Advisories for the latest information: https://lists.fedoraproject.org/archives/fedora-security-announce/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.