{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-59334","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-09-12T12:36:24.635Z","datePublished":"2025-09-16T16:48:34.887Z","dateUpdated":"2025-09-16T18:26:18.183Z"},"containers":{"cna":{"title":"Linkr allows manifest tampering leading to arbitrary file injection","problemTypes":[{"descriptions":[{"cweId":"CWE-347","lang":"en","description":"CWE-347: Improper Verification of Cryptographic Signature","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.7,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/mohammadzain2008/Linkr/security/advisories/GHSA-6wph-mpv2-29xv","tags":["x_refsource_CONFIRM"],"url":"https://github.com/mohammadzain2008/Linkr/security/advisories/GHSA-6wph-mpv2-29xv"},{"name":"https://github.com/mohammadzain2008/Linkr/commit/182e5ddaa51972e144005b500c4bcebf2fd1a6c0","tags":["x_refsource_MISC"],"url":"https://github.com/mohammadzain2008/Linkr/commit/182e5ddaa51972e144005b500c4bcebf2fd1a6c0"}],"affected":[{"vendor":"mohammadzain2008","product":"Linkr","versions":[{"version":"< 2.0.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2025-09-16T16:48:34.887Z"},"descriptions":[{"lang":"en","value":"Linkr is a lightweight file delivery system that downloads files from a webserver. Linkr versions through 2.0.0 do not verify the integrity or authenticity of .linkr manifest files before using their contents, allowing a tampered manifest to inject arbitrary file entries into a package distribution. An attacker can modify a generated .linkr manifest (for example by adding a new entry with a malicious URL) and when a user runs the extract command the client downloads the attacker-supplied file without verification. This enables arbitrary file injection and creates a potential path to remote code execution if a downloaded malicious binary or script is later executed. Version 2.0.1 adds a manifest integrity check that compares the checksum of the original author-created manifest to the one being extracted and aborts on mismatch, warning if no original manifest is hosted. Users should update to 2.0.1 or later. As a workaround prior to updating, use only trusted .linkr manifests, manually verify manifest integrity, and host manifests on trusted servers."}],"source":{"advisory":"GHSA-6wph-mpv2-29xv","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/mohammadzain2008/Linkr/security/advisories/GHSA-6wph-mpv2-29xv","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-09-16T17:29:16.497619Z","id":"CVE-2025-59334","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-09-16T18:26:18.183Z"}}]}}