CVE-2025-24889

Name of the Vulnerable Software and Affected Versions: SecureDrop Client versions prior to 0.14.1 and 1.0.1

Description: The issue allows an attacker who has already gained code execution in a virtual machine on the SecureDrop Workstation to gain code execution in the sd-log virtual machine by sending a specially crafted log entry. This is not exploitable remotely and requires an attacker to already have code execution on one of the other virtual machines of the system. The vulnerability is due to a path traversal bug in the logic used to choose where to write the log file for a specific VM, where the VM name is used unsanitized in the destination path in sd-log. An attacker could provide an arbitrary source VM name, possibly overwriting logs of other VMs, or writing a file named syslog.log with attacker-controlled content in arbitrary directories as a low-privileged user. A successful attack could potentially overwrite or add configuration to software that loads configuration files from a directory, achieving code execution by setting the target directory to /home/user/.config/autostart/ and letting it write syslog.log, because XFCE treats any file in that directory as a .desktop file regardless of its extension.

Recommendations: For versions prior to 0.14.1, update to version 0.14.1 or later. For versions prior to 1.0.1, update to version 1.0.1 or later. As a temporary workaround, consider restricting access to the sd-log VM to minimize the risk of exploitation.