{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-9301", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-08-21T05:28:41.708Z", "datePublished": "2025-08-21T13:32:08.995Z", "dateUpdated": "2025-08-21T13:49:58.107Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-08-21T13:32:08.995Z"}, "title": "cmake cmForEachCommand.cxx ReplayItems assertion", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-617", "lang": "en", "description": "Reachable Assertion"}]}], "affected": [{"vendor": "n/a", "product": "cmake", "versions": [{"version": "4.1.20250725-gb5cce23", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in cmake 4.1.20250725-gb5cce23. This affects the function cmForEachFunctionBlocker::ReplayItems of the file cmForEachCommand.cxx. This manipulation causes reachable assertion. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Patch name: 37e27f71bc356d880c908040cd0cb68fa2c371b8. It is suggested to install a patch to address this issue."}, {"lang": "de", "value": "In cmake 4.1.20250725-gb5cce23 wurde eine Schwachstelle gefunden. Dies betrifft die Funktion cmForEachFunctionBlocker::ReplayItems der Datei cmForEachCommand.cxx. Die Ver\u00e4nderung resultiert in reachable assertion. Der Angriff muss lokal erfolgen. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden. Der Patch hei\u00dft 37e27f71bc356d880c908040cd0cb68fa2c371b8. Es wird empfohlen, einen Patch anzuwenden, um dieses Problem zu beheben."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2025-08-21T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-08-21T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-08-21T07:33:45.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "xdcao (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.320906", "name": "VDB-320906 | cmake cmForEachCommand.cxx ReplayItems assertion", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.320906", "name": "VDB-320906 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.632369", "name": "Submit #632369 | cmake 4.1.20250725-gb5cce23 and other recent versions of the 4.x series. assertion failure", "tags": ["third-party-advisory"]}, {"url": "https://gitlab.kitware.com/cmake/cmake/-/issues/27135", "tags": ["issue-tracking"]}, {"url": "https://gitlab.kitware.com/cmake/cmake/-/issues/27135#note_1691629", "tags": ["issue-tracking"]}, {"url": "https://drive.google.com/file/d/1TerUqQB8_lzJTwIBCBmE94zn7n-gOz4f/view?usp=sharing", "tags": ["exploit"]}, {"url": "https://gitlab.kitware.com/cmake/cmake/-/commit/37e27f71bc356d880c908040cd0cb68fa2c371b8", "tags": ["patch"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-21T13:49:15.958825Z", "id": "CVE-2025-9301", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T13:49:58.107Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9301", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-21T13:49:15.958825Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T13:49:49.136Z"}}], "cna": {"title": "cmake cmForEachCommand.cxx ReplayItems assertion", "credits": [{"lang": "en", "type": "reporter", "value": "xdcao (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "n/a", "product": "cmake", "versions": [{"status": "affected", "version": "4.1.20250725-gb5cce23"}]}], "timeline": [{"lang": "en", "time": "2025-08-21T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-08-21T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-08-21T07:33:45.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.320906", "name": "VDB-320906 | cmake cmForEachCommand.cxx ReplayItems assertion", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.320906", "name": "VDB-320906 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.632369", "name": "Submit #632369 | cmake 4.1.20250725-gb5cce23 and other recent versions of the 4.x series. assertion failure", "tags": ["third-party-advisory"]}, {"url": "https://gitlab.kitware.com/cmake/cmake/-/issues/27135", "tags": ["issue-tracking"]}, {"url": "https://gitlab.kitware.com/cmake/cmake/-/issues/27135#note_1691629", "tags": ["issue-tracking"]}, {"url": "https://drive.google.com/file/d/1TerUqQB8_lzJTwIBCBmE94zn7n-gOz4f/view?usp=sharing", "tags": ["exploit"]}, {"url": "https://gitlab.kitware.com/cmake/cmake/-/commit/37e27f71bc356d880c908040cd0cb68fa2c371b8", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in cmake 4.1.20250725-gb5cce23. This affects the function cmForEachFunctionBlocker::ReplayItems of the file cmForEachCommand.cxx. This manipulation causes reachable assertion. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Patch name: 37e27f71bc356d880c908040cd0cb68fa2c371b8. It is suggested to install a patch to address this issue."}, {"lang": "de", "value": "In cmake 4.1.20250725-gb5cce23 wurde eine Schwachstelle gefunden. Dies betrifft die Funktion cmForEachFunctionBlocker::ReplayItems der Datei cmForEachCommand.cxx. Die Ver\u00e4nderung resultiert in reachable assertion. Der Angriff muss lokal erfolgen. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden. Der Patch hei\u00dft 37e27f71bc356d880c908040cd0cb68fa2c371b8. Es wird empfohlen, einen Patch anzuwenden, um dieses Problem zu beheben."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "Reachable Assertion"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-08-21T13:32:08.995Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9301", "state": "PUBLISHED", "dateUpdated": "2025-08-21T13:49:58.107Z", "dateReserved": "2025-08-21T05:28:41.708Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-08-21T13:32:08.995Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in cmake 4.1.20250725-gb5cce23. This affects the function cmForEachFunctionBlocker::ReplayItems of the file cmForEachCommand.cxx. This manipulation causes reachable assertion. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Patch name: 37e27f71bc356d880c908040cd0cb68fa2c371b8. It is suggested to install a patch to address this issue."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad en cmake 4.1.20250725-gb5cce23. Esta afecta a la funci\u00f3n cmForEachFunctionBlocker::ReplayItems del archivo cmForEachCommand.cxx. Esta manipulaci\u00f3n provoca una aserci\u00f3n accesible. El ataque debe ejecutarse localmente. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. Nombre del parche: 37e27f71bc356d880c908040cd0cb68fa2c371b8. Se recomienda instalar un parche para solucionar este problema."}], "id": "CVE-2025-9301", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-08-21T14:15:44.137", "references": [{"source": "cna@vuldb.com", "url": "https://drive.google.com/file/d/1TerUqQB8_lzJTwIBCBmE94zn7n-gOz4f/view?usp=sharing"}, {"source": "cna@vuldb.com", "url": "https://gitlab.kitware.com/cmake/cmake/-/commit/37e27f71bc356d880c908040cd0cb68fa2c371b8"}, {"source": "cna@vuldb.com", "url": "https://gitlab.kitware.com/cmake/cmake/-/issues/27135"}, {"source": "cna@vuldb.com", "url": "https://gitlab.kitware.com/cmake/cmake/-/issues/27135#note_1691629"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.320906"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.320906"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.632369"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{"bugzilla": {"description": "cmake: cmake reachable assertion", "id": "2390085", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2390085"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-617", "details": ["A reachable assertion flaw has been discovered in the Cmake build system. A local attacker who can construct crafted input could reach this assertion and cause a program crash."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-9301", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "cmake", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "cmake", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "cmake", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "cmake", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "cmake", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-21T13:32:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-9301\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-9301\nhttps://drive.google.com/file/d/1TerUqQB8_lzJTwIBCBmE94zn7n-gOz4f/view?usp=sharing\nhttps://gitlab.kitware.com/cmake/cmake/-/commit/37e27f71bc356d880c908040cd0cb68fa2c371b8\nhttps://gitlab.kitware.com/cmake/cmake/-/issues/27135\nhttps://gitlab.kitware.com/cmake/cmake/-/issues/27135#note_1691629\nhttps://vuldb.com/?ctiid.320906\nhttps://vuldb.com/?id.320906\nhttps://vuldb.com/?submit.632369"], "threat_severity": "Low"}

{"created": "2025-08-23T11:53:22.541834+00:00", "updated": "2025-08-23T11:53:22.541897+00:00", "vendors": ["kitware", "kitware$PRODUCT$cmake"]}