CVE-2025-8454: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-8454 affects uscan, a tool included in devscripts package that scans/watches upstream sources for new releases of software. The vulnerability was discovered in August 2025, where uscan skips OpenPGP verification if the upstream source is already downloaded from a previous run, even if the verification failed previously. This vulnerability affects devscripts version 2.25.15 and earlier versions (NVD, Debian Bug).

The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature). The issue has a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability occurs when uscan keeps the downloaded file after a failed signature verification, which allows subsequent runs to skip the OpenPGP verification entirely (Ubuntu Security, NVD).

The vulnerability allows potential bypass of cryptographic verification mechanisms. When signature verification fails, the downloaded file remains in place and subsequent runs skip the verification, potentially allowing the use of malicious or compromised source files in package builds (Debian Bug).

Two potential fixes have been proposed: either store the downloaded file under a temporary name until signature verification passes, or modify uscan to not skip verification on subsequent runs. A patch has been submitted that implements the second approach by removing the verification skip behavior (Debian Bug).