CVE-2025-0509

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkles (Ed)DSA signing checks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.3 HIGH
ADJACENT_NETWORK
HIGH
HIGH
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
fedoraCNA
7.3 HIGH
ADJACENT_NETWORK
HIGH
HIGH
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
VendorProductVersion
sparkle-projectsparkle
𝑥
< 2.6.4
netapphci_compute_node
-
netapponcommand_workflow_automation
-
netapphci_compute_node
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openjdk-8
sid
8u462-ga-1
fixed
Common Weakness Enumeration
References
https://github.com/sparkle-project/Sparkle/pull/2550
https://sparkle-project.org/documentation/security-and-reliability/
https://security.netapp.com/advisory/ntap-20250124-0008/