Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named "Topic Manifests" ({mirror}/debs/manifest/topics.json) from remote repository servers, registering them as APT source entries. However, the name field in said metadata were not checked for transliteration. In this case, a malicious party may supply a malformed Topic Manifest, which may cause malicious APT source entries to be added to /etc/apt/sources.list.d/atm.list as oma-topics finishes fetching and registering metadata. This vulnerability is fixed in 1.25.2.
AnalysisAI
oma package manager prior to version 1.25.2 fails to validate the name field in Topic Manifest metadata, allowing remote attackers with high privileges and network access to inject malicious APT source entries into /etc/apt/sources.list.d/atm.list. This manipulation could lead to supply chain attacks by redirecting package installation to attacker-controlled repositories, though exploitation requires specific preconditions including user interaction and partial attack timing. The vulnerability has been fixed in version 1.25.2.
Technical ContextAI
oma is the package manager for AOSC OS and uses oma-topics to fetch and register repository metadata from remote servers. The vulnerability exists in the validation logic for Topic Manifest files (JSON metadata fetched from {mirror}/debs/manifest/topics.json). The root cause, classified as CWE-93 (Improper Neutralization of Special Elements used in an LDAP Query), indicates insufficient input validation and sanitization of the name field before these values are written to APT source configuration files. When a malformed Topic Manifest is supplied by a malicious repository, the unvalidated name field gets registered as APT source entries without proper transliteration or escaping, enabling injection of arbitrary APT source directives. The affected product is identified by CPE cpe:2.3:a:aosc-dev:oma:*:*:*:*:*:*:*:* for all versions prior to 1.25.2.
RemediationAI
Upgrade oma to version 1.25.2 or later, which implements proper validation and transliteration of the name field in Topic Manifest metadata. Users should apply this patch immediately, particularly if their systems are configured to use remote AOSC repositories. The fix is available in the official release at https://github.com/AOSC-Dev/oma/releases/tag/v1.25.2. Additionally, administrators should audit /etc/apt/sources.list.d/atm.list for any suspicious or unexpected APT source entries that may have been injected prior to patching, and verify that APT sources point only to trusted AOSC mirrors.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20962