{"id":"GHSA-q78p-g86f-jg6q","summary":"Bugsink path traversal via event_id in ingestion","details":"## Summary\n\nIn affected versions, ingestion paths construct file locations directly from untrusted `event_id` input without validation. A specially crafted `event_id` can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations.\n\nSubmitting such input requires access to a valid DSN. While that limits exposure, DSNs are sometimes discoverable—for example, when included in frontend code—and should not be treated as a strong security boundary.\n\n## Impact\n\nA valid DSN holder can craft an `event_id` that causes the ingestion process to write files outside its designated directory. This allows overwriting files accessible to the user running Bugsink.\n\nIf Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user.\n\n## Mitigation\n\nUpdate to version `1.7.4`, `1.6.4`, `1.5.5` or `1.4.3` , which require `event_id` to be a valid UUID and normalizes it before use in file paths.","aliases":["CVE-2025-54433"],"modified":"2025-07-30T16:07:56.861105Z","published":"2025-07-29T20:13:51Z","database_specific":{"nvd_published_at":"2025-07-30T15:15:35Z","cwe_ids":["CWE-22"],"github_reviewed_at":"2025-07-29T20:13:51Z","severity":"HIGH","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/bugsink/bugsink/security/advisories/GHSA-q78p-g86f-jg6q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54433"},{"type":"WEB","url":"https://github.com/bugsink/bugsink/commit/1001726f4389e982c486cdd5fa81941cb46cfc33"},{"type":"WEB","url":"https://github.com/bugsink/bugsink/commit/211ddf76758c808c095b5f836c363f148d934d21"},{"type":"WEB","url":"https://github.com/bugsink/bugsink/commit/2c41fbe3881bdea83399a7f9fdc8cff198ae089f"},{"type":"WEB","url":"https://github.com/bugsink/bugsink/commit/53cf1a17a3e96f7c83c7451fd56f980a09d0c9b0"},{"type":"WEB","url":"https://github.com/bugsink/bugsink/commit/55a155003d0b416ea008c5e7dcde85130ad21d9b"},{"type":"WEB","url":"https://github.com/bugsink/bugsink/commit/b94aa8a5c96ce8cdd9711b6beb4e518264993ac2"},{"type":"WEB","url":"https://github.com/bugsink/bugsink/commit/c341687bd655543730c812db35c29199f788be6b"},{"type":"WEB","url":"https://github.com/bugsink/bugsink/commit/c87217bd565122ba70af90436e3ab2cd9bee658f"},{"type":"PACKAGE","url":"https://github.com/bugsink/bugsink"}],"affected":[{"package":{"name":"bugsink","ecosystem":"PyPI","purl":"pkg:pypi/bugsink"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.7.0"},{"fixed":"1.7.4"}]}],"versions":["1.7.0","1.7.1","1.7.2","1.7.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-q78p-g86f-jg6q/GHSA-q78p-g86f-jg6q.json"}},{"package":{"name":"bugsink","ecosystem":"PyPI","purl":"pkg:pypi/bugsink"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.6.0"},{"fixed":"1.6.4"}]}],"versions":["1.6.0","1.6.1","1.6.2","1.6.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-q78p-g86f-jg6q/GHSA-q78p-g86f-jg6q.json"}},{"package":{"name":"bugsink","ecosystem":"PyPI","purl":"pkg:pypi/bugsink"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.5.0"},{"fixed":"1.5.5"}]}],"versions":["1.5.0","1.5.1","1.5.2","1.5.3","1.5.4"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-q78p-g86f-jg6q/GHSA-q78p-g86f-jg6q.json"}},{"package":{"name":"bugsink","ecosystem":"PyPI","purl":"pkg:pypi/bugsink"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.3"}]}],"versions":["0.0.1","0.1.12","0.1.13","0.1.14","0.1.15","0.1.16","0.1.17","0.1.18","0.1.19","0.1.20","1.0.0","1.0.1","1.1.0","1.1.1","1.1.2","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-q78p-g86f-jg6q/GHSA-q78p-g86f-jg6q.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}]}