Description

internetarchive is a Python and Command-Line Interface to Archive.org In versions 5.5.0 and below, there is a directory traversal (path traversal) vulnerability in the File.download() method of the internetarchive library. The file.download() method does not properly sanitize user-supplied filenames or validate the final download path. A maliciously crafted filename could contain path traversal sequences (e.g., ../../../../windows/system32/file.txt) or illegal characters that, when processed, would cause the file to be written outside of the intended target directory. An attacker could potentially overwrite critical system files or application configuration files, leading to a denial of service, privilege escalation, or remote code execution, depending on the context in which the library is used. The vulnerability is particularly critical for users on Windows systems, but all operating systems are affected. This issue is fixed in version 5.5.1.

INFO

Published Date :

2025-09-06T18:45:55.833Z

Last Modified :

2025-11-03T18:13:54.480Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58438 vulnerability.

Vendors Products
Microsoft
  • Windows
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58438.

URL Resource
https://github.com/jjjake/internetarchive/commit/cba2d459e10a9489fb35caeba0b03e80f5f5d7c2 cve-icon cve-icon
https://github.com/jjjake/internetarchive/releases/tag/v5.5.1 cve-icon cve-icon
https://github.com/jjjake/internetarchive/security/advisories/GHSA-wx3r-v6h7-frjp cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2025/09/msg00030.html cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability