CVE-2025-54433: 
Python vulnerability analysis and mitigation

Bugsink is a self-hosted error tracking service affected by a path traversal vulnerability (CVE-2025-54433) discovered on July 29, 2025. The vulnerability affects versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3. The issue stems from ingestion paths constructing file locations directly from untrusted event_id input without proper validation (GitHub Advisory).

The vulnerability occurs when the application constructs file paths using untrusted eventid input without proper validation. A specially crafted eventid can result in paths outside the intended directory through path traversal. The issue has been assigned a CVSS v4.0 score of 7.2 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

A valid DSN holder can craft an event_id that causes the ingestion process to write files outside its designated directory, allowing file overwrite or creation in arbitrary locations accessible to the user running Bugsink. In containerized environments, the impact is limited to the container's filesystem, while in non-containerized setups, the vulnerability could affect other parts of the system accessible to that user (GitHub Advisory).

The vulnerability has been fixed in versions 1.4.3, 1.5.5, 1.6.4, and 1.7.4. The patches implement proper validation by requiring event_id to be a valid UUID and normalizing it before use in file paths. Users should upgrade to these patched versions to protect against potential exploitation (GitHub Advisory, Miggo).