CVE-2025-53513

CWE-24CWE-22Path Traversal5 documents4 sources
Severity
6.5MEDIUM
EPSS
0.2%
top 62.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Canonical JujuGithub.com Juju/juju
Timeline
PublishedJul 8
Latest updateJul 28

Description

The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through the affected charm.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5canonical/juju2.0.02.9.52+1
NVDcanonical/juju3.03.6.8+1
Gogithub.com/juju/juju< 0.0.0-20250619215741-6356e984b82a

🔴Vulnerability Details

4
OSV
Juju zip slip vulnerability via authenticated endpoint in github.com/juju/juju2025-07-28
OSV
Juju zip slip vulnerability via authenticated endpoint2025-07-09
GHSA
Juju zip slip vulnerability via authenticated endpoint2025-07-09
CVEList
Zip slip vulnerability in Juju2025-07-08
CVE-2025-53513 (MEDIUM CVSS 6.5) | The /charms endpoint on a Juju cont | cvebase.io