Vulnerability Details CVE-2025-59334
Linkr is a lightweight file delivery system that downloads files from a webserver. Linkr versions through 2.0.0 do not verify the integrity or authenticity of .linkr manifest files before using their contents, allowing a tampered manifest to inject arbitrary file entries into a package distribution. An attacker can modify a generated .linkr manifest (for example by adding a new entry with a malicious URL) and when a user runs the extract command the client downloads the attacker-supplied file without verification. This enables arbitrary file injection and creates a potential path to remote code execution if a downloaded malicious binary or script is later executed. Version 2.0.1 adds a manifest integrity check that compares the checksum of the original author-created manifest to the one being extracted and aborts on mismatch, warning if no original manifest is hosted. Users should update to 2.0.1 or later. As a workaround prior to updating, use only trusted .linkr manifests, manually verify manifest integrity, and host manifests on trusted servers.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 18.9%
CVSS Severity
CVSS v3 Score 9.6
References
Products affected by CVE-2025-59334
-
cpe:2.3:a:mohammadzain2008:linkr:0.1.0
-
cpe:2.3:a:mohammadzain2008:linkr:1.0.0
-
cpe:2.3:a:mohammadzain2008:linkr:2.0.0