{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-52968", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-06-23T16:18:03.769Z", "dateReserved": "2025-06-23T00:00:00.000Z", "datePublished": "2025-06-23T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "xdg-utils", "vendor": "freedesktop", "versions": [{"lessThanOrEqual": "1.2.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-420", "description": "CWE-420 Unprotected Alternate Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-06-23T16:18:03.769Z"}, "references": [{"url": "https://cgit.freedesktop.org/xdg/xdg-utils/tag/?h=v1.2.1"}, {"url": "https://www.openwall.com/lists/oss-security/2025/06/23/1"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:freedesktop:xdg-utils:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.2.1"}]}]}], "tags": ["disputed"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-23T15:37:38.295673Z", "id": "CVE-2025-52968", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-23T15:37:55.773Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-52968", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-23T15:37:38.295673Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-23T15:37:45.530Z"}}], "cna": {"tags": ["disputed"], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"}}], "affected": [{"vendor": "freedesktop", "product": "xdg-utils", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.1"}], "defaultStatus": "unknown"}], "references": [{"url": "https://cgit.freedesktop.org/xdg/xdg-utils/tag/?h=v1.2.1"}, {"url": "https://www.openwall.com/lists/oss-security/2025/06/23/1"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-420", "description": "CWE-420 Unprotected Alternate Channel"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freedesktop:xdg-utils:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.2.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-06-23T16:18:03.769Z"}}}, "cveMetadata": {"cveId": "CVE-2025-52968", "state": "PUBLISHED", "dateUpdated": "2025-06-23T16:18:03.769Z", "dateReserved": "2025-06-23T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-06-23T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin."}, {"lang": "es", "value": "xdg-open en xdg-utils hasta la versi\u00f3n 1.2.1 puede enviar solicitudes que contienen cookies SameSite=Strict, lo que facilita el CSRF. (Por ejemplo, xdg-open podr\u00eda modificarse para asociar, por defecto, x-scheme-handler/https con la ejecuci\u00f3n de un navegador con opciones de l\u00ednea de comandos que gestionen un almac\u00e9n de cookies vac\u00edo, aunque esto a\u00f1adir\u00eda una complejidad considerable y no ser\u00eda considerado un comportamiento deseable ni esperado por todos los usuarios). NOTA: Esto es controvertido porque las integraciones de xdg-open no suelen proporcionar informaci\u00f3n sobre si el comando y los argumentos de xdg-open fueron introducidos manualmente por un usuario o si fueron el resultado de una navegaci\u00f3n desde contenido de un origen no confiable."}], "id": "CVE-2025-52968", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2025-06-23T15:15:29.350", "references": [{"source": "cve@mitre.org", "url": "https://cgit.freedesktop.org/xdg/xdg-utils/tag/?h=v1.2.1"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2025/06/23/1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-420"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "xdg-utils: xdg-open bypassing SameSite=Strict", "id": "2374342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374342"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-420", "details": ["xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.", "A potential Cross-site request forgery (CSRF) flaw was found in xdg-utils. The xdg-open function in xdg-utils through version 1.2.1 can send requests containing SameSite=Strict cookies, facilitating a Cross-site request forgery (CSRF) attack vector."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-52968", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "flatpak-xdg-utils", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "xdg-utils", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "xdg-utils", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "xdg-utils", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "flatpak-xdg-utils", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "xdg-utils", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "flatpak-xdg-utils", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "xdg-utils", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-52968\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-52968\nhttps://cgit.freedesktop.org/xdg/xdg-utils/tag/?h=v1.2.1\nhttps://www.openwall.com/lists/oss-security/2025/06/23/1"], "threat_severity": "Low"}

{"created": "2025-06-27T09:26:48.935951+00:00", "updated": "2025-06-27T09:26:48.936029+00:00", "vendors": ["freedesktop", "freedesktop$PRODUCT$xdg-utils"]}