Vulnerability in Rommapp Romm

CVE-2025-53908

RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the `/api/raw` endpoint. Anyone running the latest version of RomM and has multiple users, even u…

EPSS: 0.004 (58.3th percentile) — read the EPSS interpretation.

Affected products

Rommapp Romm — versions < 3.10.3, < 4.0.0-beta.3

Weakness classification (CWE)

CWE-26

References

https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3 (x_refsource_CONFIRM)
https://github.com/rommapp/romm/commit/7c94cb05e74ddb6a6af7b82320686c01754e9966 (x_refsource_MISC)
https://github.com/rommapp/romm/commit/baa1a9759079c36e36a9f10c920c46b57d0b6151 (x_refsource_MISC)
https://github.com/rommapp/romm/blob/4.0.0-beta.2/backend/endpoints/raw.py#L31 (x_refsource_MISC)