Code Execution Vulnerability in SecureDrop Client by Freedom of the Press Foundation
CVE-2025-24888

8.1HIGH

Key Information:

Vendor

Freedomofpress

Status
Securedrop-client
Vendor
CVE Published:
13 February 2025

What is CVE-2025-24888?

The SecureDrop Client, which is used to facilitate secure communications between journalists and their sources, contains a vulnerability that could allow a compromised SecureDrop Server to execute arbitrary code on the client machine. Specifically, the flaw originates in the process of handling HTTP headers during the download of replies. When the client retrieves filenames from the Content-Disposition HTTP header, improperly sanitized filename inputs could be exploited, leading to files being saved in unchecked directories. This could enable an attacker to create an autostart file in the user's home configuration directory, allowing code execution when the client is restarted. No exploitation attempts have been recorded at this time, but users are advised to update to version 0.14.1 or above to mitigate any risks.

Affected Version(s)

securedrop-client < 0.14.1

References

https://github.com/freedomofpress/securedrop-client/secur...
x_refsource_CONFIRM
https://github.com/freedomofpress/securedrop-client/commi...
x_refsource_MISC
https://github.com/freedomofpress/securedrop-client/blob/...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.