CVE-2025-62187: 
NixOS vulnerability analysis and mitigation

A path traversal vulnerability was discovered in Ankitects Anki versions prior to 25.02.6, identified as CVE-2025-62187. The vulnerability allowed crafted sound file references to cause files to be written to arbitrary locations on Windows and Linux systems, as media file pathnames were not necessarily relative to the media folder. The issue was discovered and reported by Michael Lappas and was fixed in version 25.02.6 released on June 1, 2025 (GitHub Release).

The vulnerability is classified as a Relative Path Traversal (CWE-23) issue. According to the National Vulnerability Database, it received a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability existed because the application did not properly validate media file paths, allowing references to files outside of the designated media folder (NVD).

The vulnerability could allow a malicious actor to write files to arbitrary locations on the filesystem when exploited on Windows and Linux systems. This could potentially lead to unauthorized file creation or modification in unintended locations (GitHub PR).

The vulnerability has been fixed in Anki version 25.02.6. The fix ensures that media files are passed relative to the media folder and references to audio files outside of the media folder are no longer allowed. Users are strongly recommended to update to version 25.02.6 or later to mitigate this security issue (GitHub Release).

The GitHub release announcement received positive community engagement with 20 thumbs-up reactions and 9 rocket reactions, indicating strong community support for the security fix. The development team responded quickly to the security report and implemented the necessary fixes (GitHub Release).