SB2025110718 - Fedora 42 update for gitleaks

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025110718

SB2025110718 - Fedora 42 update for gitleaks

Published: November 7, 2025

Security Bulletin ID SB2025110718
Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Protection Mechanism Failure (CVE-ID: CVE-2025-47910)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures in http.CrossOriginProtection. The AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. An attacker can bypass implemented security restrictions.


2) Input validation error (CVE-ID: CVE-2025-47906)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of the PATH environment variable in LookPath. A local user can pass specially crafted strings to the application and execute arbitrary OS commands with elevated privileges. 


3) Uncontrolled Memory Allocation (CVE-ID: CVE-2025-11579)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to software fails to restrict the dictionary size when reading large RAR dictionary sizes. A remote attacker can provide a specially crafted RAR archive and consume all available memory resources. 


4) Improper Encoding or Escaping of Output (CVE-ID: CVE-2025-58189)

The vulnerability allows a remote attacker to perform spoofing attacks.

The vulnerability exists due to missing sanitization of input data when the Conn.Handshake fails during ALPN negotiation in crypto/tls. A remote attacker can pass specially crafted input via an error message and influence the application behavior, leading to a potential spoofing attack. 


5) Resource exhaustion (CVE-ID: CVE-2025-61725)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the ParseAddress function in net/mail does not properly control consumption of internal resources. A remote attacker can compose a specially crafted email message that triggers excessive CPU consumption leading to denial of service. 


6) Resource exhaustion (CVE-ID: CVE-2025-61723)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in encoding/pem due to application does not properly control consumption of internal resources when parsing untrusted PEM input. A remote attacker can trigger CPU exhaustion and perform a denial of service (DoS) attack.


7) Resource exhaustion (CVE-ID: CVE-2025-58185)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in encoding/asn1 due to application does not properly control consumption of internal resources when parsing DER payloads. A remote attacker can trigger memory exhaustion and perform a denial of service (DoS) attack.


8) Input validation error (CVE-ID: CVE-2025-58188)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in crypto/x509 due to an error when validating certificate chains which contain DSA public keys. A remote attacker can pass a specially crafted certificate to the application and crash it.


Remediation

Install update from vendor's website.

References