ViewVC’s standalone server exposes arbitrary server filesystem content

July 22, 2025 invoker category_cve

CVE Details

Basic Information

Title	ViewVC’s standalone server exposes arbitrary server filesystem content
Type	cve
Published	2025-07-22T21:35:47.844Z
Modified	2025-07-22T21:35:47.844Z

Product Information

Vendor	viewvc
Product	viewvc
Version	>= 1.1.0, < 1.1.31

CVSS Information

Base Score	7.5 (HIGH)
Attack Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

viewvc viewvc >= 1.1.0, < 1.1.31
viewvc viewvc >= 1.2.0, < 1.2.4

Additional Information

CWE List	CWE-22, CWE-79
Source	GitHub_M

Description

ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server’s filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.

References

https://github.com/viewvc/viewvc/security/advisories/GHSA-rv3m-76rj-q397
https://github.com/viewvc/viewvc/issues/211
https://github.com/viewvc/viewvc/commit/1dd84542c39b39e4a3f434db84a8ba3441d6a1e7
https://github.com/viewvc/viewvc/commit/5d7c76be07b77dce4ff631e9b866056344f11e84

View Full CVE Details