CVE-2025-0509

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkles (Ed)DSA signing checks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.3 HIGH
ADJACENT_NETWORK
HIGH
HIGH
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
fedoraCNA
7.3 HIGH
ADJACENT_NETWORK
HIGH
HIGH
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
openjdk-8
sid
8u452-ga-1
fixed
Common Weakness Enumeration
References
https://github.com/sparkle-project/Sparkle/pull/2550
https://sparkle-project.org/documentation/security-and-reliability/
https://security.netapp.com/advisory/ntap-20250124-0008/