OpenPGP Verification Bypass in Devscripts Tool Affecting Debian
CVE-2025-8454

9.8CRITICAL

Key Information:

Vendor: Debian
Status: Devscripts
Vendor: CVE Published:; 1 August 2025

What is CVE-2025-8454?

A security flaw in the uscan tool, part of the devscripts package, allows for OpenPGP verification to be bypassed for files that have already been downloaded, even if a previous verification attempt failed. This poses a significant risk as it could allow maliciously modified files to be accepted, compromising the integrity of software updates. Users are advised to apply prompt patches and implement robust verification practices to safeguard their systems.

Affected Version(s)

devscripts 0

References

https://bugs.debian.org/1109251

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 1, 2025
Vulnerability Reserved
Aug 1, 2025

Credit

Uwe Kleine-König