A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Redhat Subscribe
Enterprise Linux Subscribe
Rhel Aus Subscribe
Rhel E4s Subscribe
Rhel Els Subscribe
Rhel Eus Subscribe
Rhel Eus Long Life Subscribe
Rhel Tus Subscribe

No data.

No data.

No data.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4399-1 webkit2gtk security update
Debian DSA Debian DSA DSA-6074-1 webkit2gtk security update
Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References
Link Providers
https://access.redhat.com/errata/RHSA-2025:22789 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:22790 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23110 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23433 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23434 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23451 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23452 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23583 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23591 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23742 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23743 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2025-13947 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2418576 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-13947 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-13947 cve-icon
History

Mon, 22 Dec 2025 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.8::appstream
cpe:/a:redhat:rhel_tus:8.6::appstream
cpe:/a:redhat:rhel_tus:8.8::appstream
Vendors & Products Redhat rhel Tus
References

Thu, 18 Dec 2025 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els
References

Thu, 18 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
References

Wed, 17 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2::appstream
cpe:/a:redhat:rhel_e4s:9.0::appstream
References

Wed, 17 Dec 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.2::appstream
Vendors & Products Redhat rhel E4s
References

Wed, 17 Dec 2025 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Eus Long Life
CPEs cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
Vendors & Products Redhat rhel Aus
Redhat rhel Eus Long Life
References

Thu, 11 Dec 2025 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.6::appstream
Vendors & Products Redhat rhel Eus
References

Mon, 08 Dec 2025 07:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
References

Mon, 08 Dec 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
References

Wed, 03 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 03 Dec 2025 10:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser.
Title Webkit: webkitgtk: remote user-assisted information disclosure via file drag-and-drop
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-12-22T20:49:57.476Z

Reserved: 2025-12-03T09:02:32.759Z

Link: CVE-2025-13947

cve-icon Vulnrichment

Updated: 2025-12-03T14:12:27.094Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-12-03T10:15:47.710

Modified: 2025-12-22T07:16:07.130

Link: CVE-2025-13947

cve-icon Redhat

Severity : Important

Publid Date: 2025-12-03T00:00:00Z

Links: CVE-2025-13947 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.