CVE-2025-54141
Publication date 22 July 2025
Last updated 1 August 2025
Ubuntu priority
ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| viewvc | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-54141
- https://github.com/viewvc/viewvc/security/advisories/GHSA-rv3m-76rj-q397
- https://github.com/viewvc/viewvc/issues/211
- https://github.com/viewvc/viewvc/commit/1dd84542c39b39e4a3f434db84a8ba3441d6a1e7 (1.2.4)
- https://github.com/viewvc/viewvc/commit/5d7c76be07b77dce4ff631e9b866056344f11e84 (1.1.31)