CVE-2024-25711
Description
diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in diffoscope before 256 allows an attacker to read arbitrary files (e.g., SSH keys) by embedding a filename in a GPG file.
The vulnerability lies in diffoscope's handling of GPG files. Specifically, diffoscope trusts the value of the gpg --use-embedded-filenames option, which allows a GPG file to contain an embedded filename [1]. This embedded filename is not sanitized, enabling a directory traversal attack. An attacker can craft a GPG file with an embedded filename like ../.ssh/id_rsa, which diffoscope will process and attempt to compare.
Exploitation requires the attacker to supply a malicious GPG file to a user running diffoscope. The attack is achieved because diffoscope version 256 and earlier blindly follows the embedded filename path, without checking for directory traversal sequences [2]. This means the attacker can read any file on the system that the user running diffoscope has access to.
The impact is severe: an attacker can exfiltrate sensitive information, such as SSH private keys (../.ssh/id_rsa), configuration files, or any other accessible file [1]. This could lead to lateral movement or privilege escalation depending on the data obtained. The attack does not require authentication beyond the ability to have the victim process a malicious file.
Mitigation is straightforward: users must upgrade to diffoscope version 256 or later. The issue was patched by properly sanitizing or ignoring the embedded filenames from GPG files [2]. Fedora has also released updates for the affected packages [3]. No workaround exists for older versions, so upgrading is critical.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
diffoscopePyPI | < 256 | 256 |
Affected products
4- diffoscope/diffoscopedescription
- Range: <256
- ghsa-coords2 versions
< 256+ 1 more
- (no CPE)range: < 256
- (no CPE)range: < 261-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-33w6-hvmq-gh4xghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUNBANAWD6TZH2NRRV4YUIAXEHLUJQ47/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2024-25711ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/diffoscope/PYSEC-2024-41.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUNBANAWD6TZH2NRRV4YUIAXEHLUJQ47ghsaWEB
- salsa.debian.org/reproducible-builds/diffoscope/-/commit/dfed769904c27d66a14a5903823d9c8c5aae860eghsaWEB
- salsa.debian.org/reproducible-builds/diffoscope/-/issues/361ghsaWEB
News mentions
0No linked articles in our index yet.