CVE-2025-59518 — OS Command Injection in Lemonldap NG

CWE-78 — OS Command Injection5 documents5 sources

Severity

8.0HIGHNVD

EPSS

0.1%

top 75.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lemonldap-ng Lemonldap NG Debian Lemonldap-ng

Timeline

PublishedSep 17

Description

In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command injection can occur in the Safe jail. It does not Localize _ during rule evaluation. Thus, an administrator who can edit a rule evaluated by the Safe jail can execute commands on the server.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.3 | Impact: 6.0

Affected Packages2 packages

▶debiandebian/lemonldap-ng< lemonldap-ng 2.16.1+ds-deb12u7 (bookworm)

▶CVEListV5lemonldap-ng/lemonldap_ng2.17.0 — 2.21.3+1

🔴Vulnerability Details

GHSA

GHSA-fxqv-qm7m-363x: In LemonLDAP::NG before 2↗2025-09-17

▶

OSV

CVE-2025-59518: In LemonLDAP::NG before 2↗2025-09-17

▶

📋Vendor Advisories

Red Hat

lemonldap-ng: OS command injection can occur in the Safe jail↗2025-09-17

▶

Debian

CVE-2025-59518: lemonldap-ng - In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command i...↗2025

▶