VDB

CVE-2025-67819

CVE-2025-67819 PUBLISHED CVSS 4.900000095367432 MEDIUM

An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity" state and the FileReplicationService is reachable can read arbitrary files accessible to the service process.

EPSS 0.24% · 47.0th percentile

Risk Scores

CVSS 3.1
4.900000095367432
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.24%
47.0th percentile

Affected Products

VendorProductVersions
weaviateweaviate1.30.0, 1.33.0, 1.32.0
n/an/an/a
github.comweaviate/weaviate1.33.0-rc.0, 1.32.0-rc.0, 1.31.0-rc.0

Timeline

  • Dec 12, 2025 CVE Published
  • Dec 12, 2025 PoC Published
  • Dec 13, 2025 EPSS Score
  • Dec 17, 2025 EPSS Score
  • Dec 18, 2025 CVE Updated
  • Dec 21, 2025 EPSS Score
  • Dec 25, 2025 EPSS Score
  • Dec 29, 2025 EPSS Score
  • Jan 2, 2026 EPSS Score
  • Jan 6, 2026 EPSS Score
  • Jan 10, 2026 EPSS Score
  • Jan 15, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›