CVE-2025-27590 (oxidized-web): Oxidized Web RANCID migration page allows unauthenticated user to gain control over Linux user account

Oxidized Web RANCID migration page allows unauthenticated user to gain control over Linux user account

Published: March 03, 2025

SECURITY IDENTIFIERS

CVE: CVE-2025-27590 (NVD)
GHSA: GHSA-jx6p-9c26-g373

GEM

oxidized-web

SEVERITY

CVSS v3.x: 9.1 (Critical)

PATCHED VERSIONS

>= 0.15.0

DESCRIPTION

In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web.

https://nvd.nist.gov/vuln/detail/CVE-2025-27590
https://github.com/ytti/oxidized-web/releases/tag/0.15.0
https://github.com/ytti/oxidized-web/commit/a5220a0ddc57b85cd122bffee228d3ed4901668e
https://github.com/advisories/GHSA-jx6p-9c26-g373

RubySec