CVE-2025-58060: 
Alma Linux vulnerability analysis and mitigation

CVE-2025-58060 is a high-severity authentication bypass vulnerability discovered in CUPS (Common UNIX Printing System). The vulnerability was disclosed on September 11, 2025, affecting CUPS versions prior to 2.4.13. The issue occurs when the AuthType is set to anything other than Basic, where if the request contains an Authorization: Basic header, the password validation is completely bypassed (GHSA Advisory).

The vulnerability exists in the cupsdAuthorize() function within the scheduler/auth.c file. When the Authorization header is set to Basic, but the authentication type is not CUPSDAUTHBASIC, the password verification step is skipped entirely. This occurs specifically when handling authentication types other than Basic authentication. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (GHSA Advisory).

The vulnerability allows attackers to bypass authentication entirely when CUPS is configured with any AuthType other than Basic. An attacker can gain unauthorized access by sending a request with a Basic Authorization header containing any administrator username and an arbitrary password. This results in complete authentication bypass, potentially leading to unauthorized access to printing resources and administrative functions (GHSA Advisory).

A patch has been developed that adds validation to block authentication using alternate methods. The fix includes additional checks in the cupsdAuthorize function to ensure proper authentication type validation. The patch is available in the CUPS repository and has been distributed to various Linux distributions for implementation (CUPS Commit).

Multiple Linux distributions have acknowledged the vulnerability and released security updates, including Ubuntu which has issued USN-7745-1 to address the vulnerability across multiple versions of their operating system (Ubuntu Notice).