ViewVC’s standalone server exposes arbitrary server filesystem content_CVE-2025-54141

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.

Basic Information

ID CVE-2025-54141

Source GitHub_M

Published Jul 22, 2025 at 21:35

Modified Jul 23, 2025 at 18:31

Affected Product

Vendor viewvc

Product viewvc

Version >= 1.1.0, < 1.1.31

Affected Versions viewvc viewvc >= 1.1.0, < 1.1.31
viewvc viewvc >= 1.2.0, < 1.2.4

CWE Classification

CWE-22 CWE-79

References

{
    "lastseen": "",
    "description": "ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and  1.2.4.",
    "published": "2025-07-22T21:35:47.844Z",
    "modified": "2025-07-23T18:31:31.496Z",
    "type": "cve",
    "title": "ViewVC's standalone server exposes arbitrary server filesystem content",
    "source": "GitHub_M",
    "references": "https://github.com/viewvc/viewvc/security/advisories/GHSA-rv3m-76rj-q397\nhttps://github.com/viewvc/viewvc/issues/211\nhttps://github.com/viewvc/viewvc/commit/1dd84542c39b39e4a3f434db84a8ba3441d6a1e7\nhttps://github.com/viewvc/viewvc/commit/5d7c76be07b77dce4ff631e9b866056344f11e84",
    "id": "CVE-2025-54141",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "viewvc viewvc >= 1.1.0, < 1.1.31\nviewvc viewvc >= 1.2.0, < 1.2.4",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "viewvc",
    "version": ">= 1.1.0, < 1.1.31",
    "vendor": "viewvc",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}