CVE-2025-53908
published 2025-07-16CVE-2025-53908: RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the `/api/raw`…
PriorityP349high8.3CVSS 4.0
AVNACLATNPRLUINVCHVINVANSCHSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.45%
35.5th percentile
RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the `/api/raw` endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official implementation, may be affected. This allows the leakage of passwords and users that may be stored on the system. Versions 3.10.3 and 4.0.0-beta.3 contain a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rommapp | romm | < 3.10.3 | 3.10.3 |
| rommapp | romm | < 4.0.0-beta.3 | 4.0.0-beta.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/rommapp/romm/blob/4.0.0-beta.2/backend/endpoints/raw.py#L31https://github.com/rommapp/romm/commit/7c94cb05e74ddb6a6af7b82320686c01754e9966https://github.com/rommapp/romm/commit/baa1a9759079c36e36a9f10c920c46b57d0b6151https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3
2025-07-16
Published