CVE-2025-53908

RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the `/api/raw` endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official implementation, may be affected. This allows the leakage of passwords and users that may be stored on the system. Versions 3.10.3 and 4.0.0-beta.3 contain a patch.

CVSS

No CVSS.

References

Link	Resource
https://github.com/rommapp/romm/blob/4.0.0-beta.2/backend/endpoints/raw.py#L31
https://github.com/rommapp/romm/commit/7c94cb05e74ddb6a6af7b82320686c01754e9966
https://github.com/rommapp/romm/commit/baa1a9759079c36e36a9f10c920c46b57d0b6151
https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3
https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3

Configurations

No configuration.

History

18 Jul 2025, 15:15

Type	Values Removed	Values Added
References	~~() https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3 -~~	() https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3 -

17 Jul 2025, 21:15

Type	Values Removed	Values Added
Summary		(es) RomM es un gestor y reproductor de ROM autoalojado. Las versiones anteriores a la 3.10.3 y 4.0.0-beta.3 presentan una vulnerabilidad de path traversal autenticadas en el endpoint `/api/raw`. Cualquiera que ejecute la última versión de RomM y tenga varios usuarios, incluso sin privilegios, como el usuario de kiosco en la implementación oficial, podría verse afectado. Esto permite la filtración de contraseñas y usuarios almacenados en el sistema. Las versiones 3.10.3 y 4.0.0-beta.3 incluyen un parche.

16 Jul 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-16 20:15

Updated : 2025-07-18 15:15

NVD link : CVE-2025-53908

Mitre link : CVE-2025-53908

CVE.ORG link : CVE-2025-53908

JSON object : View

Products Affected

No product.

CWE

CWE-26

Path Traversal: '/dir/../filename'

{"id": "CVE-2025-53908", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-16T20:15:24.857", "references": [{"url": "https://github.com/rommapp/romm/blob/4.0.0-beta.2/backend/endpoints/raw.py#L31", "source": "security-advisories@github.com"}, {"url": "https://github.com/rommapp/romm/commit/7c94cb05e74ddb6a6af7b82320686c01754e9966", "source": "security-advisories@github.com"}, {"url": "https://github.com/rommapp/romm/commit/baa1a9759079c36e36a9f10c920c46b57d0b6151", "source": "security-advisories@github.com"}, {"url": "https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3", "source": "security-advisories@github.com"}, {"url": "https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-26"}]}], "descriptions": [{"lang": "en", "value": "RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the `/api/raw` endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official implementation, may be affected. This allows the leakage of passwords and users that may be stored on the system. Versions 3.10.3 and 4.0.0-beta.3 contain a patch."}, {"lang": "es", "value": "RomM es un gestor y reproductor de ROM autoalojado. Las versiones anteriores a la 3.10.3 y 4.0.0-beta.3 presentan una vulnerabilidad de path traversal autenticadas en el endpoint `/api/raw`. Cualquiera que ejecute la \u00faltima versi\u00f3n de RomM y tenga varios usuarios, incluso sin privilegios, como el usuario de kiosco en la implementaci\u00f3n oficial, podr\u00eda verse afectado. Esto permite la filtraci\u00f3n de contrase\u00f1as y usuarios almacenados en el sistema. Las versiones 3.10.3 y 4.0.0-beta.3 incluyen un parche."}], "lastModified": "2025-07-18T15:15:28.413", "sourceIdentifier": "security-advisories@github.com"}