CVE-2025-59334

Name of the Vulnerable Software and Affected Versions Linkr versions through 2.0.0

Description Linkr is a lightweight file delivery system that downloads files from a webserver. Linkr does not verify the integrity or authenticity of .linkr manifest files before using their contents, allowing a tampered manifest to inject arbitrary file entries into a package distribution. An attacker can modify a .linkr manifest and, when a user runs the extract command, the client downloads the attacker-supplied file without verification. This enables arbitrary file injection and creates a potential path to remote code execution if a downloaded malicious binary or script is later executed.

Recommendations Update to version 2.0.1 or later. As a workaround prior to updating, use only trusted .linkr manifests. Manually verify manifest integrity. Host manifests on trusted servers.