The vulnerability arises from the omission of validation on the 'name' field inside Topic Manifests (topic.json). A crafted value containing CRLF characters allows an attacker to inject new lines that are interpreted as separate configuration entries when oma‑topics registers the manifest. This results in malicious APT source entries being added to /etc/apt/sources.list.d/atm.list, pointing to attacker‑controlled repositories. When those repositories are later used, the system can download and install arbitrary packages, providing a path to code execution. The weakness corresponds to CWE‑93, incorrect handling of untrusted data that can lead to HTTP response splitting.

Affected systems are machines running the oma package manager for AOSC OS, specifically the oma‑topics component, with any version prior to 1.25.2. This includes AOSC OS installations that automatically fetch Topic Manifests from remote repositories. Version 1.25.2 and later contain the fix.

The CVSS base score of 5.2 indicates a medium severity vulnerability. EPSS data is not publicly available, and the flaw is not listed in the CISA KEV catalog, implying it has not yet been exploited at scale. Exploitation requires control or influence over a remote repository hosting a Topic Manifest; an attacker can trigger oma‑topics to fetch a malicious manifest and cause rogue APT source entries to be written. Given the need for environment control and the moderate score, the overall risk is considered moderate, with a realistic chance of exploitation if an attacker can host or manipulate a repository used by the affected systems.