CVE-2025-0509

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-0509
A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

6.8 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/sparkle-project/Sparkle/pull/2550 Issue Tracking Patch
https://security.netapp.com/advisory/ntap-20250124-0008/ Vendor Advisory
https://sparkle-project.org/documentation/security-and-reliability/ Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:netapp:hci_compute_node:-:*:*:*:*:*:*:*
cpe:2.3:a:sparkle-project:sparkle:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:hci_compute_node:-:*:*:*:*:*:*:*
History

05 Aug 2025, 14:35

Type Values Removed Values Added
References () https://security.netapp.com/advisory/ntap-20250124-0008/ - () https://security.netapp.com/advisory/ntap-20250124-0008/ - Vendor Advisory
References () https://github.com/sparkle-project/Sparkle/pull/2550 - () https://github.com/sparkle-project/Sparkle/pull/2550 - Issue Tracking, Patch
References () https://sparkle-project.org/documentation/security-and-reliability/ - () https://sparkle-project.org/documentation/security-and-reliability/ - Patch
CPE cpe:2.3:o:netapp:hci_compute_node:-:*:*:*:*:*:*:*
cpe:2.3:a:sparkle-project:sparkle:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
First Time Netapp
Sparkle-project sparkle
Sparkle-project
Netapp hci Compute Node
Netapp oncommand Workflow Automation
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.8

17 Feb 2025, 12:15

Type Values Removed Values Added
Summary A security issue was found in Sparkle before version 2.64. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks. A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

04 Feb 2025, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-04 20:15

Updated : 2025-08-05 14:35

NVD link : CVE-2025-0509

Mitre link : CVE-2025-0509

JSON object : View

Products Affected

netapp

  • oncommand_workflow_automation
  • hci_compute_node

sparkle-project

  • sparkle
CWE

No CWE.