Platform
python
Component
securedrop-client
Fixed in
0.14.2
CVE-2025-24888 describes a Path Traversal vulnerability discovered in the SecureDrop Client, a desktop application used by journalists to securely receive submissions from sources. This vulnerability allows a malicious SecureDrop Server to potentially gain code execution on the SecureDrop Client virtual machine (sd-app). The vulnerability affects versions of the SecureDrop Client prior to 0.14.1, and a fix is available in version 0.14.1.
The primary impact of CVE-2025-24888 is the potential for remote code execution (RCE) on the SecureDrop Client virtual machine. A compromised SecureDrop Server, which itself is designed to be hardened and isolated, could exploit this vulnerability to execute arbitrary code within the client environment. This could lead to data exfiltration, system compromise, or further attacks against the journalist's workstation. Given SecureDrop's purpose of protecting sensitive journalistic communications, this vulnerability poses a significant risk to the confidentiality and integrity of submitted materials and the security of the journalist’s systems.
CVE-2025-24888 was publicly disclosed on February 13, 2025. The vulnerability's impact, combined with the critical nature of SecureDrop's use case, warrants careful attention. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on CISA KEV. The potential for exploitation depends on the attacker's ability to compromise the SecureDrop Server, which is designed to be highly secure.
Exploit Status
EPSS
3.07% (87% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24888 is to immediately upgrade the SecureDrop Client to version 0.14.1 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime requirements, consider isolating the SecureDrop Client from the potentially malicious SecureDrop Server. Network segmentation and strict firewall rules can limit the server's ability to communicate with the client. Monitor network traffic for unusual connections between the server and client. After upgrading, confirm the fix by verifying the SecureDrop Client version and testing communication with a trusted SecureDrop Server.
Actualice SecureDrop Client a la versión 0.14.1 o superior. Esta versión corrige la vulnerabilidad de path traversal. La actualización se puede realizar a través de los canales de distribución habituales de SecureDrop.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24888 is a Path Traversal vulnerability affecting SecureDrop Client versions prior to 0.14.1. It allows a malicious SecureDrop Server to potentially execute code on the client's virtual machine.
You are affected if you are using SecureDrop Client version 0.14.1 or earlier. Upgrade to 0.14.1 or later to mitigate the risk.
Upgrade the SecureDrop Client to version 0.14.1 or later. If immediate upgrade is not possible, isolate the client from potentially malicious servers.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the official SecureDrop security advisories on their website: https://securedrop.email/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.