CVE-2025-54433: 
Python vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2025-54433) was discovered in Bugsink's ingestion functionality affecting versions >= 1.7.0 < 1.7.4, >= 1.6.0 < 1.6.4, >= 1.5.0 < 1.5.5, and < 1.4.3. The vulnerability was disclosed on July 29, 2025, and allows attackers with access to a valid DSN to manipulate the event_id parameter to write files outside the intended directory (GitHub Advisory).

The vulnerability stems from the ingestion paths constructing file locations directly from untrusted eventid input without proper validation. The application failed to properly validate and sanitize the eventid parameter before using it in file path construction. This implementation allowed specially crafted event_ids to traverse outside the designated directory. The vulnerability has been assigned a CVSS score of 7.1 (High), with attack vector being Network, attack complexity Low, and requiring Low privileges (GitHub Advisory).

When successfully exploited, this vulnerability allows an attacker with a valid DSN to write or overwrite files outside the designated directory. In containerized environments, the impact is limited to the container's filesystem. However, in non-containerized setups, the attacker could potentially affect other parts of the system accessible to the Bugsink user account (GitHub Advisory).

The vulnerability has been patched in versions 1.7.4, 1.6.4, 1.5.5, and 1.4.3. The fix implements proper validation requiring eventid to be a valid UUID and normalizes it before use in file paths. Users should upgrade to these patched versions to protect against this vulnerability. The patch includes additional validation at the edge and security checks for eventid processing (GitHub Advisory, GitHub Commit).