pysec-2025-67
Vulnerability from pysec
Published
2025-06-19 21:15
Modified
2025-07-08 19:22
Severity ?
Details
A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used.
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "upsonic",
"purl": "pkg:pypi/upsonic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.56.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.10.0",
"0.10.1",
"0.10.2",
"0.11.0",
"0.11.1",
"0.11.10",
"0.11.11",
"0.11.2",
"0.11.3",
"0.11.4",
"0.11.5",
"0.11.6",
"0.11.7",
"0.11.8",
"0.11.9",
"0.12.0",
"0.12.1",
"0.12.2",
"0.12.3",
"0.12.4",
"0.12.5",
"0.13.0",
"0.13.1",
"0.13.2",
"0.13.3",
"0.14.0",
"0.14.1",
"0.14.2",
"0.14.3",
"0.15.0",
"0.16.0",
"0.16.1",
"0.17.0",
"0.17.1",
"0.18.0",
"0.19.0",
"0.19.1",
"0.19.2",
"0.19.3",
"0.19.4",
"0.20.0",
"0.20.1",
"0.20.2",
"0.20.3",
"0.21.0",
"0.22.0",
"0.23.0",
"0.23.1",
"0.23.2",
"0.23.3",
"0.23.4",
"0.24.0",
"0.24.1",
"0.24.2",
"0.25.0",
"0.26.0",
"0.27.0",
"0.28.0",
"0.28.1",
"0.28.2",
"0.28.3",
"0.28.4",
"0.30.0",
"0.30.2",
"0.30.7",
"0.32.0",
"0.33.1",
"0.34.0",
"0.34.1",
"0.34.2",
"0.34.3",
"0.35.0a1736970242",
"0.35.0a1736970720",
"0.35.0a1736971149",
"0.35.0a1736971897",
"0.35.0a1736972885",
"0.35.0a1736974243",
"0.35.0a1736975119",
"0.35.0a1736976284",
"0.35.0a1736978167",
"0.35.0a1736979941",
"0.35.0a1736981630",
"0.35.0a1736982287",
"0.35.0a1736982640",
"0.35.0a1736983736",
"0.35.0a1736984772",
"0.35.0a1736986092",
"0.35.0a1737010781",
"0.35.0a1737010942",
"0.35.0a1737015222",
"0.35.0a1737016349",
"0.35.0a1737023679",
"0.35.0a1737033652",
"0.35.0a1737033931",
"0.35.0a1737034519",
"0.35.0a1737042503",
"0.35.0a1737042958",
"0.35.0a1737043600",
"0.35.0a1737044257",
"0.35.0a1737044843",
"0.35.0a1737045225",
"0.35.0a1737114840",
"0.35.0a1737114977",
"0.35.0a1737116875",
"0.35.0a1737117468",
"0.35.0a1737122839",
"0.35.0a1737195981",
"0.35.0a1737212799",
"0.35.0a1737217937",
"0.35.0a1737218956",
"0.35.0a1737227112",
"0.35.0a1737311492",
"0.35.0a1737315034",
"0.35.0a1737379903",
"0.36.0",
"0.36.0a1737396881",
"0.36.0a1737401408",
"0.36.0a1737407655",
"0.36.0a1737409215",
"0.36.0a1737410849",
"0.36.0a1737438831",
"0.36.0a1737457705",
"0.36.0a1737482268",
"0.36.0a1737482779",
"0.36.0a1737487622",
"0.36.0a1737496270",
"0.36.0a1737496729",
"0.36.0a1737498136",
"0.36.0a1737539419",
"0.36.0a1737542896",
"0.36.0a1737628376",
"0.37.0",
"0.38.0",
"0.38.0a1737809635",
"0.38.1",
"0.38.1a1738355936",
"0.39.0",
"0.39.0a1738407703",
"0.39.0a1738408485",
"0.39.0a1738409132",
"0.39.0a1738413952",
"0.39.0a1738417207",
"0.4.10",
"0.4.11",
"0.4.12",
"0.4.13",
"0.4.14",
"0.4.15",
"0.4.2",
"0.4.3",
"0.4.4",
"0.4.5",
"0.4.6",
"0.4.7",
"0.4.8",
"0.4.9",
"0.40.0",
"0.40.1",
"0.40.1a1738430067",
"0.40.1a1738431780",
"0.40.2",
"0.40.3",
"0.40.4",
"0.40.4a1738504324",
"0.40.5",
"0.40.5a1738608355",
"0.40.5a1738609512",
"0.40.5a1738609921",
"0.40.5a1738610310",
"0.40.5a1738610551",
"0.40.6",
"0.40.6a1738619561",
"0.40.7",
"0.40.7a1738837197",
"0.40.7a1738851334",
"0.40.7a1738858117",
"0.40.7a1738865999",
"0.40.7a1738874469",
"0.41.0",
"0.41.0a1738875992",
"0.41.0a1738913481",
"0.41.0a1738922922",
"0.41.0a1738942849",
"0.41.0a1738943864",
"0.41.0a1738947565",
"0.41.0a1738948334",
"0.41.0a1738949488",
"0.41.0a1738951496",
"0.41.0a1738961482",
"0.41.0a1739006911",
"0.41.1",
"0.42.0",
"0.42.0a1739015944",
"0.42.0a1739029428",
"0.42.0a1739042238",
"0.42.0a1739042985",
"0.42.0a1739044180",
"0.42.0a1739044629",
"0.42.0a1739047263",
"0.42.0a1739048896",
"0.42.0a1739050234",
"0.42.0a1739093954",
"0.42.0a1739099062",
"0.43.0",
"0.43.0a1739106873",
"0.43.0a1739383942",
"0.43.0a1739389035",
"0.43.0a1739429679",
"0.44.0",
"0.44.0a1739451866",
"0.44.0a1739565955",
"0.44.1",
"0.44.1a1739799852",
"0.44.1a1739881595",
"0.44.1a1739897729",
"0.44.1a1739899475",
"0.44.1a1739904268",
"0.44.1a1739905596",
"0.44.1a1739908048",
"0.44.1a1739909460",
"0.44.1a1739912278",
"0.44.1a1739949863",
"0.44.1a1739953863",
"0.44.1a1739958116",
"0.44.1a1739969973",
"0.44.1a1739983135",
"0.44.2",
"0.44.2a1740050593",
"0.44.2a1740071168",
"0.44.2a1740084271",
"0.44.2a1740085443",
"0.44.2a1740085570",
"0.45.0",
"0.45.1",
"0.45.2",
"0.45.3",
"0.45.4",
"0.46.0",
"0.46.1",
"0.47.0",
"0.47.1",
"0.47.2",
"0.47.3",
"0.47.4",
"0.47.5",
"0.47.5a1741824272",
"0.47.5a1741825046",
"0.47.5a1741825731",
"0.47.5a1741826544",
"0.48.0",
"0.49.0",
"0.49.0a1742393199",
"0.49.0a1742655039",
"0.49.0a1742657799",
"0.49.0a1742658030",
"0.5.0",
"0.50.0",
"0.50.0a1742865563",
"0.50.0a1742876514",
"0.50.0a1742886287",
"0.50.0a1742907455",
"0.50.0a1742975161",
"0.50.1",
"0.50.2",
"0.50.3",
"0.50.4",
"0.50.4a1743070636",
"0.50.5",
"0.51.0",
"0.51.1",
"0.51.2",
"0.52.0",
"0.52.1",
"0.52.1a1744119894",
"0.52.2",
"0.52.3",
"0.52.3a1744217583",
"0.52.4",
"0.53.0",
"0.53.1",
"0.54.0",
"0.55.0",
"0.55.1",
"0.55.2",
"0.55.3",
"0.55.4",
"0.55.5",
"0.55.6",
"0.55.6a1748524485",
"0.55.6a1748537170",
"0.55.6a1748538406",
"0.55.6a1748538717",
"0.55.6a1748545381",
"0.55.6a1748787282",
"0.55.6a1748962305",
"0.55.6a1749087129",
"0.55.6a1749087663",
"0.55.6a1749164000",
"0.55.6a1749165639",
"0.55.6a1749248294",
"0.6.0",
"0.6.1",
"0.6.2",
"0.6.3",
"0.6.4",
"0.7.0",
"0.7.1",
"0.7.2",
"0.8.0",
"0.8.1",
"0.8.2",
"0.8.3",
"0.8.4",
"0.9.0"
]
}
],
"aliases": [
"CVE-2025-6278"
],
"details": "A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used.",
"id": "PYSEC-2025-67",
"modified": "2025-07-08T19:22:27.385619+00:00",
"published": "2025-06-19T21:15:27+00:00",
"references": [
{
"type": "ADVISORY",
"url": "https://vuldb.com/?ctiid.313282"
},
{
"type": "ADVISORY",
"url": "https://vuldb.com/?id.313282"
},
{
"type": "ADVISORY",
"url": "https://vuldb.com/?submit.593096"
},
{
"type": "EVIDENCE",
"url": "https://github.com/Upsonic/Upsonic/issues/356"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.313282"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.313282"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.593096"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.