VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-rbvm-14d7-kbcf

Essentials
Severities (32)
References (7)
Severity details (3)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-rbvm-14d7-kbcf
Aliases	CVE-2025-6297
Summary	It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.
Status	Published
Exploitability	0.5
Weighted Severity	4.1
Risk	2.0
Affected and Fixed Packages	Package Details

Weaknesses (0)

There are no known CWE.

System	Score	Found at
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2025-6297
cvssv3.1	5.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	8.2	https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82
ssvc	Track	https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-6297
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6297
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cpe:2.3:a:debian:dpkg::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:debian:dpkg::::::::
CVE-2025-6297		https://nvd.nist.gov/vuln/detail/CVE-2025-6297
?id=ed6bbd445dd8800308c67236ba35d08004c98e82		https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82
USN-7768-1		https://usn.ubuntu.com/7768-1/

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-01T17:30:21Z/ Found at https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82

Exploit Prediction Scoring System (EPSS)

Percentile	0.23358
EPSS Score	0.00075
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T09:24:58.023101+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/6xxx/CVE-2025-6297.json	37.0.0