CVE-2025-7115

Name of the Vulnerable Software and Affected Versions: rowboatlabs rowboat up to 8096eaf63b5a0732edd8f812bee05b78e214ee97

Description: A critical issue has been found, affecting the function PUT of the file apps/rowboat/app/api/uploads/[fileId]/route.ts in the Session Handler component. The manipulation of the params argument leads to missing authentication, allowing for remote attacks. The product uses continuous delivery with rolling releases, so no specific version details of affected or updated releases are available. It is expected that this issue will be fixed in the near future.

Recommendations: As a temporary workaround, consider disabling the PUT function in the apps/rowboat/app/api/uploads/[fileId]/route.ts file until a fix is available. Restrict access to the Session Handler component to minimize the risk of exploitation. Avoid using the params argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.