Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Debian source packages (.dsc) and upload artifacts (.changes) are manifest files that name the files that make up the artifact. The parser used to read these files in Debusine accepted arbitrary fully user-controlled paths. The mergeuploads task could be abused to create arbitrary symbolic links on a worker, overwriting any file that the worker user has access to.
AnalysisAI
Arbitrary symlink creation in Debusine's mergeuploads task allows remote unauthenticated attackers to overwrite files accessible to the worker process. Affected versions 0.12.0 through 0.14.8 fail to sanitize fully user-controlled paths embedded in Debian manifest files (.dsc and .changes), enabling path traversal via CWE-59 link-following. Despite a CVSS network-accessible, no-auth vector, real-world risk is bounded by deployment context - exploitation requires the ability to submit packages to a Debusine instance. No public exploit identified at time of analysis and EPSS sits at 0.02% (4th percentile).
Technical ContextAI
Debusine is a Freexian-maintained platform for building, distributing, and maintaining Debian-based distributions. It processes Debian source package manifests (.dsc) and upload artifacts (.changes), which are structured text files listing constituent file paths. The vulnerability is rooted in CWE-59 (Improper Link Resolution Before File Access): the manifest parser accepted arbitrary, fully user-controlled file paths without canonicalization or containment checks. The mergeuploads task - responsible for combining upload artifacts on worker nodes - consumed these unsanitized paths and could be directed to create symbolic links pointing to arbitrary filesystem locations. The affected component is confirmed by CPE cpe:2.3:a:debian:debusine:*:*:*:*:*:*:*:* covering versions 0.12.0 through 0.14.8.
RemediationAI
Upgrade Debusine to version 0.14.9 or later, which includes the fix introduced in commit c24cdc49fb258714767546bdec5b09f8065d414e and merged via merge request !3103 at https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3103. The upstream fix is available from the vendor; a tagged patched release version is confirmed by the EUVD affected-versions range ending at 0.14.9. If immediate upgrade is not possible, operators should restrict who can submit .dsc and .changes files to the Debusine instance to trusted, authenticated parties only - this limits the attack surface since exploitation requires submitting crafted manifest files. Additionally, consider running worker processes under a dedicated low-privilege account to reduce the impact radius of any successful symlink overwrite. Neither workaround eliminates the underlying path traversal; they are compensating controls only until the patch is applied.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35999
GHSA-29fv-9q46-q5g2