CVE-2025-27590: 
Ruby vulnerability analysis and mitigation

CVE-2025-27590 affects Oxidized Web, a web interface for network device configuration management. The vulnerability exists in versions before 0.15.0, where the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web. The vulnerability was discovered by Jon O'Reilly and Jamie Riden from NetSPI and was disclosed in March 2025 (Github Release, NVD).

The vulnerability received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) from NVD, and a score of 9.0 CRITICAL (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) from MITRE. The vulnerability specifically exists in the RANCID migration page functionality, which was already deprecated in version 0.14.0 (Github Release).

The vulnerability allows an unauthenticated attacker to gain complete control over the Linux user account that runs the oxidized-web service. This level of access could potentially lead to system compromise and unauthorized access to network device configurations (NVD).

The vulnerability has been fixed in Oxidized Web version 0.15.0 by completely removing the deprecated RANCID migration page functionality. Users are advised to upgrade to version 0.15.0 or later to address this security issue (Github Release).