CVE-2025-54433

Name of the Vulnerable Software and Affected Versions Bugsink versions 1.4.2 and below Bugsink versions 1.5.0 through 1.5.4 Bugsink versions 1.6.0 through 1.6.3 Bugsink versions 1.7.0 through 1.7.3

Description Bugsink is a self-hosted error tracking service. Ingestion paths construct file locations directly from untrusted event id input without validation. A specially crafted event id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user.

Recommendations Update to Bugsink version 1.4.3. Update to Bugsink version 1.5.5. Update to Bugsink version 1.6.4. Update to Bugsink version 1.7.4.