CVE-2025-13425
📋 TL;DR
A bug in OSV-SCALIBR's filesystem traversal causes a panic when processing empty directories, leading to application crashes. This vulnerability affects systems running OSV-SCALIBR that scan directories, potentially causing denial of service. The issue is triggered when ReadDir returns nil for empty directories.
💻 Affected Systems
- OSV-SCALIBR
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Repeated exploitation could cause persistent application crashes, leading to sustained denial of service and disruption of security scanning operations.
Likely Case
Accidental or targeted triggering causes application crashes when scanning directories containing empty subdirectories, resulting in temporary denial of service.
If Mitigated
Application restarts automatically or is monitored for crashes, minimizing downtime to brief interruptions.
🎯 Exploit Status
Exploitation requires ability to create or manipulate directory structures that OSV-SCALIBR scans. No authentication bypass needed if scanning accessible directories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit e67c4e198ca099cb7c16957a80f6c5331d90a672 and later
Vendor Advisory: https://github.com/google/osv-scalibr/commit/e67c4e198ca099cb7c16957a80f6c5331d90a672
Restart Required: Yes
Instructions:
1. Update OSV-SCALIBR to version including commit e67c4e198ca099cb7c16957a80f6c5331d90a672. 2. Rebuild the application. 3. Restart the OSV-SCALIBR service or process.
🔧 Temporary Workarounds
Avoid scanning directories with empty subdirectories
allConfigure OSV-SCALIBR to exclude directories that may contain empty subdirectories from scanning.
Configure scan exclusions in OSV-SCALIBR configuration to skip problematic directories
🧯 If You Can't Patch
- Implement monitoring and automatic restart for OSV-SCALIBR processes to minimize downtime from crashes
- Restrict filesystem access to prevent creation of empty directories in scanned paths
🔍 How to Verify
Check if Vulnerable:
Check OSV-SCALIBR version or commit hash against the fixed commit e67c4e198ca099cb7c16957a80f6c5331d90a672Check Version:
Check build metadata or git commit history of OSV-SCALIBR installationVerify Fix Applied:
Test scanning a directory containing empty subdirectories - application should not crash📡 Detection & Monitoring
Log Indicators:
- Application panic logs with 'index out of range' in fs/diriterate/diriterate.go
- Unexpected process termination of OSV-SCALIBR
Network Indicators:
- None - this is a local filesystem vulnerability
SIEM Query:
Process termination events for OSV-SCALIBR with panic/segfault error codes