CVE-2026-25707 - Vulnerability Details

Description

A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be used by remote attackers supplying repositories to overwrite files on the system, leading to denial of service or privilege escalation.

Published: 2026-06-29

Score: 8.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A relative path traversal flaw in libzypp occurs while parsing repository metadata in versions prior to 17.38.10. The flaw, identified as CWE‑23, lets an attacker supply a crafted repository so that the metadata processing writes to an arbitrary local file. Overwriting critical files can break system operation or grant elevated privileges to the attacker.

Affected Systems

The vulnerability affects SUSE’s libzypp component in all releases before version 17.38.10. Systems running those libraries are exposed if they configure or use external repositories.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity risk. Because the bug is exploitable from a remote repository, an attacker who controls a repository server can trigger the overwrite. No EPSS score is available, but the lack of a KEV listing does not imply safety; the flaw remains a significant threat if the vulnerable library is in use.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SUSE

libzypp

unaffected

Version	Status	Constraints
`0`	affected	< 17.38.10

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade libzypp to version 17.38.10 or later
Remove or disable any untrusted third‑party repository configurations
Configure the system to validate repository metadata integrity and enforce strict path handling

Generated by OpenCVE AI on June 29, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.suse.com/show_bug.cgi?id=1259802
https://github.com/openSUSE/libzypp/commit/f09feda7fca03c941218aab0bb161cc82b185b6b

History

Mon, 29 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 29 Jun 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be used by remote attackers supplying repositories to overwrite files on the system, leading to denial of service or privilege escalation.
Title		Handcrafted repo metadata may cause arbitrary local files to be overwritten by libzypp
Weaknesses		CWE-23
References		https://bugzilla.suse.com/show_bug.cgi?id=1259802 https://github.com/openSUSE/libzypp/commit/f09feda7fca03c941218aab0bb161cc82b185b6b
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2026-06-29T10:04:59.223Z

Updated: 2026-06-29T11:44:36.827Z

Reserved: 2026-02-05T15:37:24.184Z

Link: CVE-2026-25707

Vulnrichment

Updated: 2026-06-29T11:44:17.763Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-29T11:30:05Z

Weaknesses

CWE-23
Relative Path Traversal

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25707", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "state": "PUBLISHED", "assignerShortName": "suse", "dateReserved": "2026-02-05T15:37:24.184Z", "datePublished": "2026-06-29T10:04:59.223Z", "dateUpdated": "2026-06-29T11:44:36.827Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-06-29T10:04:59.223Z"}, "title": "Handcrafted repo metadata may cause arbitrary local files to be overwritten by libzypp", "datePublic": "2026-05-28T09:56:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-23", "description": "CWE-23 Relative path traversal", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "affected": [{"vendor": "SUSE", "product": "libzypp", "packageName": "libzypp", "repo": "https://github.com/openSUSE/libzypp", "versions": [{"status": "affected", "version": "0", "lessThan": "17.38.10", "versionType": "rpm"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be used by remote attackers supplying repositories to overwrite files on the system, leading to denial of service or privilege escalation.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be used by remote attackers supplying repositories to overwrite files on the system, leading to denial of service or privilege escalation."}]}], "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1259802", "tags": ["issue-tracking"]}, {"url": "https://github.com/openSUSE/libzypp/commit/f09feda7fca03c941218aab0bb161cc82b185b6b", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Michael Andres of SUSE", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-29T11:39:14.732975Z", "id": "CVE-2026-25707", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-29T11:44:36.827Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25707", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-29T11:39:14.732975Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-29T11:44:17.763Z"}}], "cna": {"title": "Handcrafted repo metadata may cause arbitrary local files to be overwritten by libzypp", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Michael Andres of SUSE"}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/openSUSE/libzypp", "vendor": "SUSE", "product": "libzypp", "versions": [{"status": "affected", "version": "0", "lessThan": "17.38.10", "versionType": "rpm"}], "packageName": "libzypp", "defaultStatus": "unaffected"}], "datePublic": "2026-05-28T09:56:00.000Z", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1259802", "tags": ["issue-tracking"]}, {"url": "https://github.com/openSUSE/libzypp/commit/f09feda7fca03c941218aab0bb161cc82b185b6b", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be used by remote attackers supplying repositories to overwrite files on the system, leading to denial of service or privilege escalation.", "supportingMedia": [{"type": "text/html", "value": "A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be used by remote attackers supplying repositories to overwrite files on the system, leading to denial of service or privilege escalation.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23 Relative path traversal"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-06-29T10:04:59.223Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25707", "state": "PUBLISHED", "dateUpdated": "2026-06-29T11:44:36.827Z", "dateReserved": "2026-02-05T15:37:24.184Z", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "datePublished": "2026-06-29T10:04:59.223Z", "assignerShortName": "suse"}, "dataVersion": "5.2"}

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object