What is CVE-2025-24888?

CVE-2025-24888 is a high-severity vulnerability in Freedomofpress Securedrop-client, classified under Path Traversal. CVSS score: 8.1/10. Published 2025-02-13.

How severe is CVE-2025-24888?

High severity. CVSS v3 base score is 8.1 out of 10.

Path Traversal in Freedomofpress Securedrop-client

CVE-2025-24888

The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to version 0.14.1, a malicious SecureDrop Server could obtain code execution on the S…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.031 (87.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Freedomofpress Securedrop-client — versions < 0.14.1

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/freedomofpress/securedrop-client/security/advisories/GHSA-6c3p-chq6-q3j2 (x_refsource_CONFIRM)
https://github.com/freedomofpress/securedrop-client/commit/120bac14649db0bcf5f24f2eb82731c76843b1ba (x_refsource_MISC)
https://github.com/freedomofpress/securedrop-client/blob/0.14.0/client/securedrop_client/utils.py#L79 (x_refsource_MISC)
https://github.com/freedomofpress/securedrop-client/blob/main/client/securedrop_client/api_jobs/downloads.py#L164 (x_refsource_MISC)
https://github.com/freedomofpress/securedrop-client/blob/release/0.14.0/client/securedrop_client/sdk/__init__.py#L956-L957 (x_refsource_MISC)
https://www.qubes-os.org/doc/split-gpg (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-24888?: CVE-2025-24888 is a high-severity vulnerability in Freedomofpress Securedrop-client, classified under Path Traversal. CVSS score: 8.1/10. Published 2025-02-13.
How severe is CVE-2025-24888?: High severity. CVSS v3 base score is 8.1 out of 10.