6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-11842

GHSA ID

GHSA-9rvm-p3qm-f4vv

EPSS Score

CWE

CWE-22

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-11842

CVE-2025-11842: Smidge is vulnerable to Path Traversal

A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Handler. The manipulation of the argument Version leads to path traversal. Remote exploitation of the attack is possible. Upgrading to version 4.6.0 is sufficient to resolve this issue. It is recommended to upgrade the affected component.

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-11842

GHSA ID

GHSA-9rvm-p3qm-f4vv

EPSS Score

CWE

CWE-22

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Smidge	nuget	< 4.6.0	4.6.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, as described, is a path traversal issue in the 'Bundle Handler' related to the 'Version' argument. The analysis of the commits between the last vulnerable version (4.5.1) and the first patched version (4.6.0) revealed a key commit ca8575339bd77aeb3c754ca68263de30bd7a5cfa with the message 'Adds checks for file persistence'. This commit modifies the WriteFileAsync methods in src/Smidge.Core/Cache/PhysicalFileCacheFileSystem.cs. The changes introduce validation to the filePath parameter, preventing path traversal attacks. The added checks ensure that the file path for cached bundles, which is constructed using the user-provided 'Version', does not allow writing files outside the intended cache directory. The vulnerable functions are the two overloads of WriteFileAsync in the Smidge.Core.Cache.PhysicalFileCacheFileSystem class, as they were responsible for the insecure file writing operation before the patch.

Vulnerable functions

Smidge.Core.Cache.PhysicalFileCacheFileSystem.WriteFileAsync

src/Smidge.Core/Cache/PhysicalFileCacheFileSystem.cs

The vulnerability lies in the `WriteFileAsync` methods within the `PhysicalFileCacheFileSystem` class. Prior to the patch, these methods did not properly sanitize the `filePath` parameter, which is derived from user-controllable input (the 'Version' parameter in the request). This allowed an attacker to use path traversal sequences (e.g., `..\`) to write cache files to arbitrary locations on the file system outside of the intended cache directory. The patch mitigates this by adding checks to ensure the path is not rooted, does not contain a scheme delimiter, and is within the expected cache root directory.

WAF Protection Rules

WAF Rule

* s**urity vuln*r**ility **s ***n **t**t** in S**zw*zz* Smi*** up to *.*.*. T** imp**t** *l*m*nt is *n unknown *un*tion o* t** *ompon*nt *un*l* **n*l*r. T** m*nipul*tion o* t** *r*um*nt V*rsion l***s to p*t* tr*v*rs*l. R*mot* *xploit*tion o* t** *tt*

Reasoning

T** vuln*r**ility, *s **s*ri***, is * p*t* tr*v*rs*l issu* in t** '*un*l* **n*l*r' r*l*t** to t** 'V*rsion' *r*um*nt. T** *n*lysis o* t** *ommits **tw**n t** l*st vuln*r**l* v*rsion (*.*.*) *n* t** *irst p*t**** v*rsion (*.*.*) r*v**l** * k*y *ommit

6.3

Basic Information

Concerned about an active attack path?

CVE-2025-11842: Smidge is vulnerable to Path Traversal

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI