Debusine, the integrated tool for building and distributing Debian-based distributions, parsed Debian source packages and upload artifacts without sanitizing fully user‐controlled paths. An attacker can craft a malicious .dsc or .changes file that contains arbitrary paths. When the mergeuploads task processes such a file it can create symbolic links at any location on the worker’s filesystem, effectively overwriting any file the worker user can access. This flaw allows a local source uploader to replace or modify critical files on the build worker, potentially enabling arbitrary code execution, privilege escalation, or the injection of malicious binaries into released packages.

All current releases of Debusine that include the described parser are vulnerable. The issue arises from the handling of .dsc and .changes files, so any version that accepts and processes these package metadata formats without additional path validation is affected.

No EPSS data or KEV listing is available, but the vulnerability grants the ability to overwrite files that the worker process owns. An attacker with access to upload a source package can exploit the flaw by embedding arbitrary paths in the package manifest. The success of exploitation depends on the worker’s privilege level; if the worker runs with elevated rights, the resulting overwrite could lead to remote code execution within the build environment. The lack of a publicly disclosed exploit and the need for a crafted upload file reduce the immediacy of risk, yet the severity remains high for organizations that rely on Debusine for their distribution pipeline.