CVE-2025-53908

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-53908

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-53908.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-53908

Related

GHSA-fx9g-xw4j-jwc3

Published

2025-07-16T20:15:24Z

Modified

2025-07-18T16:50:40.475751Z

Summary

[none]

Details

RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the /api/raw endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official implementation, may be affected. This allows the leakage of passwords and users that may be stored on the system. Versions 3.10.3 and 4.0.0-beta.3 contain a patch.

References

Affected packages

Git / github.com/rommapp/romm

Affected ranges

Type: GIT
Repo: https://github.com/rommapp/romm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7c94cb05e74ddb6a6af7b82320686c01754e9966

Fixed

baa1a9759079c36e36a9f10c920c46b57d0b6151

Affected versions

3.*

3.0.0

3.0.0-rc.3

3.0.0-rc.4

3.0.0-rc.5

3.0.0-rc.6

3.0.0-rc.7

3.0.1

3.0.1-rc.1

3.0.1-rc.2

3.0.2

3.0.3

3.1.0

3.1.0-rc.1

3.1.0-rc.2

3.1.0-rc.3

3.10.0

3.10.0-alpha.1

3.10.0-alpha.2

3.10.0-beta.1

3.10.1

3.10.2

3.2.0

3.2.0-rc.1

3.2.0-rc.2

3.2.0-rc.3

3.2.0-rc.4

3.3.0

3.3.0-beta.1

3.3.0-beta.2

3.3.0-beta.3

3.3.0-rc.1

3.3.0-rc.2

3.4.0

3.5.0

3.5.0-alpha.1

3.5.0-beta.1

3.5.0-beta.2

3.5.1

3.6.0

3.6.0-rc.1

3.7.0

3.7.0-alpha.1

3.7.0-alpha.2

3.7.0-beta.1

3.7.0-beta.2

3.7.0-beta.3

3.7.1

3.7.2

3.7.3

3.8.0

3.8.0-alpha.1

3.8.0-alpha.2

3.8.0-alpha.4

3.8.0-alpha.5

3.8.0-alpha.6

3.8.0-alpha.7

3.8.0-alpha.8

3.8.0-beta.1

3.8.0-beta.2

3.8.0-beta.3

3.8.1

3.8.1-beta.1

3.8.2

3.8.2-alpha.1

3.8.2-alpha.2

3.8.2-beta.1

3.8.2-beta.2

3.8.3

3.9.0

3.9.0-alpha.1

3.9.0-beta.1

3.9.0-beta.2

4.*

4.0.0-alpha.1

4.0.0-alpha.2

4.0.0-alpha.3

4.0.0-alpha.4

4.0.0-beta.1

4.0.0-beta.2

v.*

v.2.2.0

v1.*

v1.0

v1.1

v1.10

v1.2

v1.2.2

v1.3

v1.4

v1.4.1

v1.5

v1.5.1

v1.6

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.7

v1.7.1

v1.8

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.9

v1.9.1

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.2.1

v2.3.0

v2.3.1