Platform
python
Component
viewvc
Fixed in
1.1.1
1.2.1
CVE-2025-54141 is a high-severity vulnerability affecting ViewVC version 1.1.0 through 1.2.3. The standalone.py script, included with ViewVC, is susceptible to a directory traversal attack, allowing unauthorized access to the host server's filesystem. This vulnerability is addressed in version 1.2.4, and users are strongly advised to upgrade.
This directory traversal vulnerability allows an attacker to read arbitrary files from the host server's filesystem. By manipulating the standalone.py script, an attacker can bypass intended access controls and potentially retrieve sensitive data such as configuration files, source code, or even user credentials. The potential impact is significant, as a successful exploitation could lead to complete compromise of the server. While the standalone.py script is not typically used in production environments, its presence introduces a significant attack surface if left unpatched.
This vulnerability was publicly disclosed on 2025-07-22. No known public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation is relatively low, as it requires direct access to the ViewVC installation and knowledge of the standalone.py script's vulnerability.
Exploit Status
EPSS
0.24% (47% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54141 is to upgrade ViewVC to version 1.2.4 or later. If immediate upgrading is not possible, consider removing the standalone.py script from the ViewVC installation directory to eliminate the attack vector. While not a complete solution, restricting access to the ViewVC installation directory via firewall rules or access control lists can further reduce the risk. After upgrading, confirm the fix by attempting to access files outside the intended ViewVC directory via the standalone.py script; access should be denied.
Actualice ViewVC a la versión 1.1.31 o superior si está utilizando la rama 1.1.x, o a la versión 1.2.4 o superior si está utilizando la rama 1.2.x. Esto solucionará la vulnerabilidad de recorrido de directorios en el script standalone.py. Puede descargar la versión más reciente desde el sitio web oficial de ViewVC o desde el repositorio de código fuente.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54141 is a high-severity vulnerability affecting ViewVC versions 1.1.0 through 1.2.3, allowing attackers to expose the host filesystem through the standalone.py script.
You are affected if you are running ViewVC versions 1.1.0 through 1.2.3. Upgrade to version 1.2.4 or later to resolve the vulnerability.
Upgrade ViewVC to version 1.2.4 or later. As a temporary workaround, remove the standalone.py script from the installation directory.
No active exploitation has been reported as of the disclosure date, but the vulnerability remains a risk until patched.
Refer to the official ViewVC security advisories on their website or mailing list for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.