{"id":"CVE-2025-54433","summary":"Bugsink is vulnerable to Path Traversal attacks via event_id in ingestion","details":"Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3,  ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4.","aliases":["GHSA-q78p-g86f-jg6q"],"modified":"2026-04-10T05:30:38.265643Z","published":"2025-07-30T14:29:03.510Z","database_specific":{"cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54433.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54433.json"},{"type":"ADVISORY","url":"https://github.com/bugsink/bugsink/security/advisories/GHSA-q78p-g86f-jg6q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54433"},{"type":"FIX","url":"https://github.com/bugsink/bugsink/commit/1001726f4389e982c486cdd5fa81941cb46cfc33"},{"type":"FIX","url":"https://github.com/bugsink/bugsink/commit/211ddf76758c808c095b5f836c363f148d934d21"},{"type":"FIX","url":"https://github.com/bugsink/bugsink/commit/2c41fbe3881bdea83399a7f9fdc8cff198ae089f"},{"type":"FIX","url":"https://github.com/bugsink/bugsink/commit/53cf1a17a3e96f7c83c7451fd56f980a09d0c9b0"},{"type":"FIX","url":"https://github.com/bugsink/bugsink/commit/55a155003d0b416ea008c5e7dcde85130ad21d9b"},{"type":"FIX","url":"https://github.com/bugsink/bugsink/commit/b94aa8a5c96ce8cdd9711b6beb4e518264993ac2"},{"type":"FIX","url":"https://github.com/bugsink/bugsink/commit/c341687bd655543730c812db35c29199f788be6b"},{"type":"FIX","url":"https://github.com/bugsink/bugsink/commit/c87217bd565122ba70af90436e3ab2cd9bee658f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bugsink/bugsink","events":[{"introduced":"6ec220b3d2619866975c6f65bc3b266673928fc7"},{"fixed":"ee1f4a94d819759bf2583d1adbe425fd3eb7bb48"}],"database_specific":{"versions":[{"introduced":"1.7.0"},{"fixed":"1.7.4"}]}},{"type":"GIT","repo":"https://github.com/bugsink/bugsink","events":[{"introduced":"b53b1c6ce2bd6f44d75d238f11fe1309ae342a3e"},{"fixed":"bcc240f78125a065bf1e03084408dbe39dbabeb0"}],"database_specific":{"versions":[{"introduced":"1.6.0"},{"fixed":"1.6.4"}]}},{"type":"GIT","repo":"https://github.com/bugsink/bugsink","events":[{"introduced":"dd339f73de93fe6d5f92fd45f81504e2dcfd63a4"},{"fixed":"5b0d0bba4480232c7f6e6493797cca385b93bb1b"}],"database_specific":{"versions":[{"introduced":"1.5.0"},{"fixed":"1.5.5"}]}},{"type":"GIT","repo":"https://github.com/bugsink/bugsink","events":[{"introduced":"0"},{"fixed":"f3092091815add697e7e52bbe151adae35d69f5a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.4.3"}]}}],"versions":["0.1.0","0.1.1","0.1.10","0.1.11","0.1.12","0.1.13","0.1.14","0.1.15","0.1.16","0.1.17","0.1.18","0.1.19","0.1.2","0.1.20","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","1.0.0","1.0.1","1.1.0","1.1.1","1.1.2","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.5.3","1.5.4","1.6.0","1.6.1","1.6.2","1.6.3","1.7.0","1.7.1","1.7.2","1.7.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54433.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"}]}