CVE-2025-67819
EUVD-2025-20309312.12.2025, 17:15
An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity" state and the FileReplicationService is reachable can read arbitrary files accessible to the service process.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| weaviate | weaviate | 1.30.0 ≤ 𝑥 ≤ 1.30.19 |
| weaviate | weaviate | 1.31.0 ≤ 𝑥 ≤ 1.31.18 |
| weaviate | weaviate | 1.32.0 ≤ 𝑥 ≤ 1.32.15 |
| weaviate | weaviate | 1.33.0 ≤ 𝑥 ≤ 1.33.3 |
𝑥
= Vulnerable software versions