CVE-2025-0509

EUVD-2025-0232
A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
ADJACENT_NETWORK
HIGH
HIGH
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
fedoraCNA
7.3 HIGH
ADJACENT_NETWORK
HIGH
HIGH
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Affected Products (NVD)
VendorProductVersion
sparkle-projectsparkle
𝑥
< 2.6.4
netapphci_compute_node
-
netapponcommand_workflow_automation
-
netapphci_compute_node
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openjdk-8
sid
8u482-ga-1
fixed
Common Weakness Enumeration
References
https://github.com/sparkle-project/Sparkle/pull/2550
https://sparkle-project.org/documentation/security-and-reliability/
https://security.netapp.com/advisory/ntap-20250124-0008/