CVE-2025-24888

Name of the Vulnerable Software and Affected Versions: SecureDrop Client versions prior to 0.14.1

Description: The issue lies in the code responsible for downloading replies in the SecureDrop Client. A malicious SecureDrop Server could obtain code execution on the SecureDrop Client virtual machine (sd-app). The filename of the reply is obtained from the Content-Disposition HTTP header and used to write the encrypted reply on disk. Although filenames are generated and sanitized server-side, and files are downloaded in an encrypted format, a previously compromised SecureDrop Server could manipulate the HTTP response to exploit this issue. The vulnerability allows code execution by writing an autostart file in /home/user/.config/autostart/. As of the time of publication, there is no known evidence of exploitation in the wild.

Recommendations: For SecureDrop Client versions prior to 0.14.1, update to version 0.14.1 to fix the issue. As a temporary workaround, consider restricting access to the /home/user/.config/autostart/ directory to prevent potential code execution.