CVE-2025-54433: Bugsink Path Traversal Vulnerability Allows File Overwrites

Bugsink, a self-hosted error tracking service, is susceptible to a path traversal vulnerability that could allow authenticated users to overwrite files on the server. This issue affects versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3. Immediate patching is recommended to mitigate this risk.

Vulnerability Details

CVE ID: CVE-2025-54433
Description: The Bugsink ingestion paths construct file locations directly from untrusted event_id input without proper validation. A specially crafted event_id can lead to paths outside the intended directory, enabling file overwrite or creation in arbitrary locations. Access to a valid DSN (Data Source Name) is required to submit such input.
CVSS Score and Vector:
- CVSS v4.0: 7.2 HIGH
- Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Explanation: This CVSS v4.0 score indicates a high severity vulnerability. An attacker can exploit this remotely (AV:N) with low complexity (AC:L), requiring no user interaction (UI:N) but needing low privileges (PR:L). Successful exploitation can lead to high integrity and availability impact (VI:H/VA:H), meaning the attacker can modify files and disrupt services.
Exploit Requirements: Valid DSN access, knowledge of the Bugsink API.
Affected Vendor, Product, Version: Bugsink versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3.
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). This means an attacker can manipulate file paths to access or modify files outside the intended directory.

Timeline of Events

2025-07-30: CVE-2025-54433 publicly disclosed.
2025-07-30: Security patches released by Bugsink.

Exploitability & Real-World Risk

The path traversal vulnerability in Bugsink presents a significant risk. With a valid DSN, an attacker could craft a malicious event_id to overwrite critical files on the server. In containerized environments, the impact is limited to the container's filesystem. However, in non-containerized setups, the attacker could potentially compromise the entire system, depending on the permissions of the Bugsink user.

Recommendations

Upgrade Bugsink: Update to versions 1.4.3, 1.5.5, 1.6.4, or 1.7.4, which contain the necessary fixes.
Review DSN Access: Ensure that DSNs are securely managed and only accessible to authorized personnel.
Containerization: Deploy Bugsink in a containerized environment to limit the impact of potential exploits.

Technical Insight

The vulnerability stems from a lack of proper validation of the event_id parameter when constructing file paths. By injecting directory traversal sequences (e.g., ../) into the event_id, an attacker can navigate outside the intended directory and overwrite files in other locations.

Credit to Researcher(s)

This vulnerability was reported via GitHub security advisories.

CVE-2025-54433: Bugsink Path Traversal Vulnerability Allows File Overwrites

CVE-2025-54433: Bugsink Path Traversal Vulnerability Allows File Overwrites

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form