Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionGitHub Advisory
SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine (sd-app) by exploiting improper filename validation in gzip archive extraction, which permits absolute paths and enables overwriting critical files like the SQLite database. Exploitation requires prior compromise of the dedicated SecureDrop Server, which itself is hardened and only accessible via Tor hidden services. Despite the high attack complexity, the vulnerability is rated High severity due to its significant impact on confidentiality, integrity, and availability of decrypted source submissions. This issue is similar to CVE-2025-24888 but occurs through a different code path, and a more robust fix has been implemented in the replacement SecureDrop Inbox codebase. The issue has been fixed in version 0.17.5.
AnalysisAI
Path traversal in SecureDrop Client 0.17.4 and below allows a compromised SecureDrop Server to execute arbitrary code on journalist workstations by injecting malicious filenames during gzip archive extraction. The vulnerability enables overwriting the SQLite database and other critical files in the sd-app VM, potentially exposing decrypted source submissions. Fixed in version 0.17.5. No active exploitation confirmed (not in CISA KEV). CVSS 7.5 reflects high impact but complex attack chain requiring prior server compromise and user interaction. EPSS data not available, but real-world risk is constrained by the requirement to first breach a Tor-hidden, hardened server infrastructure.
Technical ContextAI
SecureDrop Client is a Qubes OS-based desktop application used by journalists to access submissions from confidential sources via the SecureDrop platform. The vulnerability (CWE-73: External Control of File Name or Path) stems from insufficient validation during gzip archive extraction. When processing archives from the server, the client fails to sanitize filenames containing absolute paths or directory traversal sequences. An attacker controlling the server can craft archives with malicious paths like '/home/user/.local/share/securedrop_client/svs.sqlite' to overwrite the application's SQLite database or other critical application files in the sd-app virtual machine. This attack vector differs from the similar CVE-2025-24888, occurring through an alternate code path in archive handling. The affected product is SecureDrop Client versions up to and including 0.17.4 (cpe:2.3:a:freedomofpress:securedrop-client:*:*:*:*:*:*:*:*). The vulnerability has been addressed with enhanced path validation in the SecureDrop Inbox replacement codebase.
RemediationAI
Upgrade SecureDrop Client to version 0.17.5 immediately, which contains the fix implemented in commit e518adaf897e7838467ccf9e1f28152ae6fe3655. The patch introduces robust filename validation during gzip archive extraction to prevent absolute paths and directory traversal sequences. SecureDrop operators should update through normal Qubes OS template and app VM update procedures as documented in SecureDrop Workstation administration guides. Until patching is complete, implement temporary compensating controls: restrict server access to only trusted administrators with multi-factor authentication, monitor server logs for unauthorized access or unusual archive creation activity, and consider deferring download of submissions if server compromise is suspected. Note that these mitigations do not eliminate risk if the server is already compromised, as malicious archives may have been planted prior to implementing controls. Organizations should also review server integrity and audit logs for indicators of prior compromise. The vendor advisory and commit details are available at https://github.com/freedomofpress/securedrop-client/security/advisories/GHSA-2jrc-x8fq-prvc and https://github.com/freedomofpress/securedrop-client/commit/e518adaf897e7838467ccf9e1f28152ae6fe3655.
Same weakness CWE-73 – External Control of File Name or Path
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23626