CVE-2025-52968

| EUVD-2025-18897 LOW
2025-06-23 [email protected]
2.7
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18897
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
CVE Published
Jun 23, 2025 - 15:15 nvd
LOW 2.7

Tags

CSRF Ubuntu Debian

Description

xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.

Analysis

xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.

Technical Context

Cross-Site Request Forgery forces authenticated users to perform unintended actions by tricking their browser into sending forged requests.

Remediation

Implement anti-CSRF tokens for all state-changing operations. Use SameSite cookie attribute. Verify the Origin/Referer header on the server side.

Priority Score

14
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +14
POC: 0

Vendor Status

Ubuntu

Priority: Medium
xdg-utils
Release Status Version
upstream needs-triage -
bionic deferred -
focal deferred -
jammy deferred -
noble deferred -
oracular ignored end of life, was deferred [2025-10-20]
xenial deferred -
plucky ignored end of life, was deferred
questing deferred -

Debian

xdg-utils
Release Status Fixed Version Urgency
bookworm, bullseye vulnerable 1.1.3-4.1 -
forky, sid, trixie vulnerable 1.2.1-2 -
(unstable) fixed (unfixed) unimportant

Share

CVE-2025-52968 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy