CVE

DEBIAN-CVE-2025-68119

Downloading and building modules with malicious version strings can cause local code execution.

CVE

DEBIAN-CVE-2025-68119

Downloading and building modules with malicious version strings can cause local code execution.

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

3.1

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://security-tracker.debian.org/tracker/CVE-2025-68119

Severity

7

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

EPSS Percentile

Introduced Version

Fix Available

1.24.13-1,1.25.6-1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

DEBIAN-CVE-2025-68119

DEBIAN-CVE-2025-68119

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

7

Basic Information

Fix Critical Vulnerabilities Instantly