Skip to main content

libzypp CVE-2026-25707

| EUVDEUVD-2026-40062 HIGH
Relative Path Traversal (CWE-23)
2026-06-29 meissner@suse.de GHSA-4h5m-3w75-qcq5
8.8
CVSS 3.1 · Vendor: suse
Share

Severity by source

Vendor (suse) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-delivered metadata (AV:N) with no attacker auth (PR:N) but mandatory victim repo refresh (UI:R); root-privileged file overwrite yields privesc, so I:H/A:H and C:H via resulting code execution.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (suse).

CVSS VectorVendor: suse

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 29, 2026 - 12:01 EUVD
Source Code Evidence Fetched
Jun 29, 2026 - 10:32 vuln.today
Analysis Generated
Jun 29, 2026 - 10:32 vuln.today

DescriptionCVE.org

A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be used by remote attackers supplying repositories to overwrite files on the system, leading to denial of service or privilege escalation.

AnalysisAI

Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant crafted repository metadata (repomd/SUSE content files) with '../' location paths that escape the repo root, allowing files anywhere on the system to be overwritten when a victim adds and refreshes that repository. Because zypper-based refresh operations typically run as root, this can escalate to privilege escalation or denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host or MITM a malicious repository
Delivery
Publish metadata with '../' location path
Exploit
Victim adds and refreshes repo as root
Execution
libzypp resolves traversal outside repo root
Persist
Overwrite sensitive system file
Impact
DoS or root privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to add and refresh/use an attacker-controlled (or MITM-intercepted) zypper repository, and the malicious repomd.xml or SUSE-tags content file must contain a location href, descrdir/datadir, or HASH entry using relative '../' path components that resolve outside the repository root. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 8.8) reflects network delivery with low complexity, no attacker privileges, but mandatory user interaction - the victim must configure and refresh the malicious repository. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts (or man-in-the-middles) a repository and publishes a repomd.xml or content file containing a <location href="../../etc/..."> style entry. When a victim adds that repository and runs a refresh/install as root, libzypp resolves the traversal path and overwrites a sensitive system file, enabling denial of service or planting attacker-controlled content that yields root-level privilege escalation. …
Remediation Vendor-released patch: 17.38.10 - upgrade libzypp to 17.38.10 or later via your SUSE/openSUSE update channel as the primary fix (commit f09feda7fca03c941218aab0bb161cc82b185b6b adds path sanitization that discards metadata entries resolving outside the repo root). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running libzypp versions earlier than 17.38.10 and catalog which systems have configured third-party repositories. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-25707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy