VYPR
High severityNVD Advisory· Published Jul 8, 2025· Updated Jul 8, 2025

Arbitrary executable upload via authenticated endpoint

CVE-2025-0928

Description

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/juju/jujuGo
< 0.0.0-20250619215741-4034aa13c7cf0.0.0-20250619215741-4034aa13c7cf

Affected products

3

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.

CVE-2025-0928 · high · VYPR