CVE-2024-25711: 
Python vulnerability analysis and mitigation

CVE-2024-25711 affects diffoscope versions before 256, allowing directory traversal via an embedded filename in a GPG file. The vulnerability was discovered and disclosed in early 2024, impacting the diffoscope tool used for file comparison and analysis. The issue specifically affects the GPG file handling functionality of the software (NVD, CVE).

The vulnerability stems from diffoscope's trust in the gpg --use-embedded-filenames option when processing GPG files. This implementation flaw allows an attacker to exploit directory traversal through specially crafted embedded filenames in GPG files. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high severity with network attack vector and no required privileges or user interaction (NVD).

When exploited, the vulnerability allows an attacker to disclose contents of arbitrary files on the system, such as ../.ssh/id_rsa, by leveraging the embedded filename functionality in GPG files. The impact is particularly concerning as it could lead to exposure of sensitive files and information (Debian Issue).

The vulnerability has been fixed in diffoscope version 256 and later. Users are strongly advised to upgrade to the latest version. For Fedora 39 users, an update to version 257-1.fc39 is available that addresses this vulnerability (Fedora Update).