CVE-2025-65112

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions PubNet versions prior to 1.1.3

Description PubNet is a self-hosted Dart & Flutter package service. The /api/storage/upload endpoint allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain attacks. The issue allows attackers to forge any author-id, creating a perfect supply chain attack scenario.

Recommendations Versions prior to 1.1.3 should be updated to version 1.1.3 or later.

Exploit

Fix

LPE

Missing Authentication

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-862

Related Identifiers

CVE-2025-65112

GHSA-PG82-FQRG-Q6J5

Affected Products

Pubnet

CVE-2025-65112

Weakness Enumeration

Related Identifiers

Affected Products

References · 16