OpenPGP Verification Bypass in Devscripts Tool Affecting Debian
CVE-2025-8454

9.8CRITICAL

Key Information:

Vendor

Debian

Vendor
CVE Published:
1 August 2025

What is CVE-2025-8454?

A security flaw in the uscan tool, part of the devscripts package, allows for OpenPGP verification to be bypassed for files that have already been downloaded, even if a previous verification attempt failed. This poses a significant risk as it could allow maliciously modified files to be accepted, compromising the integrity of software updates. Users are advised to apply prompt patches and implement robust verification practices to safeguard their systems.

Affected Version(s)

devscripts 0

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Uwe Kleine-König
.
CVE-2025-8454 : OpenPGP Verification Bypass in Devscripts Tool Affecting Debian