Platform
python
Component
bugsink
Fixed in
1.7.1
1.6.1
1.5.1
1.4.4
1.7.4
CVE-2025-54433 describes a Path Traversal vulnerability discovered in Bugsink versions up to 1.7.3. This flaw allows an attacker, possessing a valid Data Source Name (DSN), to manipulate file paths during the ingestion process, potentially leading to arbitrary file overwrites or creations. The vulnerability is mitigated by upgrading to version 1.7.4.
The core of this vulnerability lies in the direct construction of file paths from the eventid input without proper validation. A malicious eventid can be crafted to escape the intended directory, enabling an attacker to write files to unexpected locations on the system. While a valid DSN is required, the potential for DSN discovery, particularly through frontend code exposure, significantly broadens the attack surface. Successful exploitation could lead to data corruption, privilege escalation (depending on file permissions), and potentially even remote code execution if sensitive configuration files are overwritten.
CVE-2025-54433 was publicly disclosed on 2025-07-29. The vulnerability's severity is rated HIGH with a CVSS score of 7.5. Currently, there are no known public exploits or active campaigns targeting this vulnerability. Its inclusion on the CISA KEV catalog is pending. The requirement of a valid DSN somewhat limits the immediate exploitability, but the potential for DSN leakage warrants careful attention.
Exploit Status
EPSS
0.21% (43% percentile)
CISA SSVC
The primary mitigation for CVE-2025-54433 is to upgrade Bugsink to version 1.7.4 or later, which includes the necessary input validation to prevent path traversal. If immediate upgrading is not feasible, consider implementing stricter access controls on the DSN to limit potential attackers. Review frontend code for any accidental exposure of DSN credentials. Implement a Web Application Firewall (WAF) rule to filter requests containing suspicious characters in the eventid parameter. After upgrading, verify the fix by attempting to submit a crafted eventid designed to traverse outside the intended directory; the ingestion process should reject the request.
Actualice Bugsink a la versión 1.4.3, 1.5.5, 1.6.4 o 1.7.4, o superior, según corresponda a su versión actual. Esto corrige la vulnerabilidad de path traversal al validar correctamente la entrada 'event_id'. La actualización evitará la posible sobrescritura o creación de archivos en ubicaciones arbitrarias.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54433 is a Path Traversal vulnerability in Bugsink versions up to 1.7.3, allowing attackers with a valid DSN to potentially overwrite or create files outside the intended directory.
If you are running Bugsink version 1.7.3 or earlier, you are potentially affected by this vulnerability. Assess your DSN security practices to determine your level of risk.
Upgrade Bugsink to version 1.7.4 or later to remediate the vulnerability. If upgrading is not immediately possible, implement stricter DSN access controls and WAF rules.
As of the current disclosure date, there are no known public exploits or active campaigns targeting CVE-2025-54433.
Refer to the official Bugsink project's security advisories and release notes for the most up-to-date information regarding CVE-2025-54433.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.