{"id":"AZL-64296","summary":"CVE-2025-52968 affecting package xdg-utils 1.2.1-3","details":"xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.","modified":"2026-04-21T04:32:21.517141Z","published":"2025-06-23T15:15:29Z","upstream":["CVE-2025-52968"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-52968"}],"affected":[{"package":{"name":"xdg-utils","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/xdg-utils"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"1.2.1-3"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64296.json"}}],"schema_version":"1.7.5"}