GHSA-q78p-g86f-jg6q

Source

https://github.com/advisories/GHSA-q78p-g86f-jg6q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-q78p-g86f-jg6q/GHSA-q78p-g86f-jg6q.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-q78p-g86f-jg6q

Aliases

CVE-2025-54433

Published

2025-07-29T20:13:51Z

Modified

2025-07-30T16:06:19.289197Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Bugsink path traversal via event_id in ingestion

Details

Summary

In affected versions, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations.

Submitting such input requires access to a valid DSN. While that limits exposure, DSNs are sometimes discoverable—for example, when included in frontend code—and should not be treated as a strong security boundary.

Impact

A valid DSN holder can craft an event_id that causes the ingestion process to write files outside its designated directory. This allows overwriting files accessible to the user running Bugsink.

If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user.

Mitigation

Update to version 1.7.4, 1.6.4, 1.5.5 or 1.4.3 , which require event_id to be a valid UUID and normalizes it before use in file paths.

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "github_reviewed_at": "2025-07-29T20:13:51Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "nvd_published_at": "2025-07-30T15:15:35Z"
}

References

Affected packages

PyPI / bugsink

Package

Name: bugsink; View open source insights on deps.dev
Purl: pkg:pypi/bugsink

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.7.0

Fixed

1.7.4

Affected versions

1.*

1.7.0

1.7.1

1.7.2

1.7.3

PyPI / bugsink

Package

Name: bugsink; View open source insights on deps.dev
Purl: pkg:pypi/bugsink

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.6.0

Fixed

1.6.4

Affected versions

1.*

1.6.0

1.6.1

1.6.2

1.6.3

PyPI / bugsink

Package

Name: bugsink; View open source insights on deps.dev
Purl: pkg:pypi/bugsink

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.5.0

Fixed

1.5.5

Affected versions

1.*

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

PyPI / bugsink

Package

Name: bugsink; View open source insights on deps.dev
Purl: pkg:pypi/bugsink

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.3

Affected versions

0.*

0.0.1

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.18

0.1.19

0.1.20

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.4.0

1.4.1

1.4.2