Remote Code Execution Vulnerability in CISA Thorium Email Handling
CVE-2025-35436

6.9MEDIUM

Key Information:

Vendor: Cisa
Status: Thorium
Vendor: CVE Published:; 17 September 2025

What is CVE-2025-35436?

CISA Thorium has a vulnerability in its handling of account verification email messages, where the '.unwrap()' method may be improperly utilized. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted email address, potentially leading to application crashes. This issue has been addressed in the recent commit 6a65a27.

Affected Version(s)

Thorium 1.0.0 < 6a65a27

Thorium 6a65a27

References

https://github.com/mjcarson/thorium/commit/6a65a2711fb238...

https://www.cve.org/CVERecord?id=CVE-2025-35436

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 17, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

, OpenAI Security Research

Cisa

What is CVE-2025-35436?

Affected Version(s)

References

CVSS V4

Timeline

Credit