CVE-2025-52968 — Unprotected Alternate Channel in Xdg-utils

CWE-420 — Unprotected Alternate Channel5 documents5 sources

Severity

2.7LOWNVD

EPSS

0.1%

top 84.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Xdg-utils Debian Xdg-utils

Timeline

PublishedJun 23

Description

xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do no…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:NExploitability: 1.0 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5freedesktop/xdg-utils1.2.1

▶debiandebian/xdg-utils

🔴Vulnerability Details

GHSA

GHSA-r9jv-cv83-m4v4: xdg-open in xdg-utils through 1↗2025-06-23

▶

OSV

CVE-2025-52968: xdg-open in xdg-utils through 1↗2025-06-23

▶

📋Vendor Advisories

Red Hat

xdg-utils: xdg-open bypassing SameSite=Strict↗2025-06-23

▶

Debian

CVE-2025-52968: xdg-utils - xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict...↗2025

▶