VYPR
High severityOSV Advisory· Published Jul 30, 2025· Updated Apr 15, 2026

CVE-2025-54433

CVE-2025-54433

Description

Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bugsinkPyPI
>= 1.7.0, < 1.7.41.7.4
bugsinkPyPI
>= 1.6.0, < 1.6.41.6.4
bugsinkPyPI
>= 1.5.0, < 1.5.51.5.5
bugsinkPyPI
< 1.4.31.4.3

Affected products

2

Patches

Vulnerability mechanics

References

11

News mentions

0

No linked articles in our index yet.