CVE 9.4 CRITICAL

PubNet Critical Authentication Bypass Allows Unauthenticated Package Upload and Identity Spoofing_CVE-2025-65112

November 28, 2025 invoker category_cve

9.4 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Description

PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain attacks. This issue has been patched in version 1.1.3.

AI Analysis

Unauthenticated users can upload packages as any user, enabling identity spoofing, privilege escalation, and supply chain attacks

Basic Information

ID CVE-2025-65112

Source GitHub_M

Published Nov 29, 2025 at 00:38

Affected Product

Vendor ricardoboss

Product PubNet

Version < 1.1.3

Affected Versions ricardoboss PubNet < 1.1.3

CWE Classification

CWE-862 CWE-306

AI Assessment

AI Score 9.4 / 10

AI Severity Critical

Vendor ricardoboss

Product PubNet

Version < 1.1.3

References

github.com /ricardoboss/PubNet/security/advisories/GHSA-pg82-fqrg-q6j5

{
    "lastseen": "",
    "description": "PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain attacks. This issue has been patched in version 1.1.3.",
    "published": "2025-11-29T00:38:41.672Z",
    "modified": "2025-11-29T00:38:41.672Z",
    "type": "cve",
    "title": "PubNet Critical Authentication Bypass Allows Unauthenticated Package Upload and Identity Spoofing",
    "source": "GitHub_M",
    "references": "https://github.com/ricardoboss/PubNet/security/advisories/GHSA-pg82-fqrg-q6j5",
    "id": "CVE-2025-65112",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862",
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "ricardoboss PubNet < 1.1.3",
    "sourceHref": "",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PubNet",
    "version": "< 1.1.3",
    "vendor": "ricardoboss",
    "ai_description": "Unauthenticated users can upload packages as any user, enabling identity spoofing, privilege escalation, and supply chain attacks",
    "ai_severity": "Critical",
    "ai_vendor": "ricardoboss",
    "ai_product": "PubNet",
    "ai_version": "< 1.1.3",
    "ai_score": 9.4
}

💭 Join the Security Discussion ❌ Cancel Reply