CVE-2025-53632: 
vulnerability analysis and mitigation

CVE-2025-53632 affects Chall-Manager, a platform-agnostic system designed for starting Challenges on Demand. The vulnerability was discovered and disclosed on July 10, 2025, and involves a zip slip vulnerability during scenario decoding. The issue affects all versions prior to v0.1.4 (NVD, GitHub Advisory).

The vulnerability occurs when decoding a scenario (zip archive), where the path of the file to write is not properly validated, potentially leading to zip slips. The issue has been assigned a CVSS v4.0 base score of 8.8 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

If exploited, this vulnerability could allow attackers to write files outside the intended directory structure, potentially leading to unauthorized file access or manipulation. The vulnerability does not require authentication or authorization for exploitation, making it particularly severe (NVD).

The vulnerability has been patched in version 0.1.4 of Chall-Manager. The fix was implemented in commit 47d188f, which added proper path sanitization checks during the archive extraction process. Users are advised to upgrade to version 0.1.4 or later (GitHub Commit, GitHub Release).