CVE-2025-62187: 
NixOS vulnerability analysis and mitigation

CVE-2025-62187 is a security vulnerability discovered in Ankitects Anki versions prior to 25.02.6. The vulnerability allows crafted sound file references to cause files to be written to arbitrary locations on Windows and Linux systems, as media file pathnames were not necessarily relative to the media folder (NVD, GitHub Release).

The vulnerability is classified as a Relative Path Traversal (CWE-23) issue. It received a CVSS v3.1 Base Score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability specifically affected the sound file handling mechanism, where the application did not properly validate media file pathnames, allowing them to reference locations outside the intended media folder (NVD).

The vulnerability could allow a malicious actor to write files to arbitrary locations on the filesystem when exploited on Windows and Linux systems. This could potentially lead to unauthorized file creation or modification in unintended locations on the affected systems (GitHub PR, GitHub Release).

The vulnerability has been fixed in Anki version 25.02.6. The fix ensures that media files are passed relative to the media folder and references to audio files outside of the media folder are no longer allowed. Users are strongly recommended to update to this version, particularly on Windows and Linux systems (GitHub Release).