Search

Find a vulnerability

Search criteria

    2 vulnerabilities by airlinklabs

    CVE-2025-57802 (GCVE-0-2025-57802)

    Vulnerability from nvd – Published: 2025-08-25 17:39 – Updated: 2025-08-25 17:52
    VLAI
    Title
    Airlink's Daemon Symlink Vulnerability
    Summary
    Airlink's Daemon interfaces with Docker and the Panel to provide secure access for controlling instances via the Panel. In version 1.0.0, an attacker with access to the affected container can create symbolic links inside the mounted directory (/app/data). Because the container bind-mounts an arbitrary host path, these symlinks can point to sensitive locations on the host filesystem. When the application or other processes follow these symlinks, the attacker can gain unauthorized read access to host files outside the container. This issue has been patched in version 1.0.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-61 - UNIX Symbolic Link (Symlink) Following
    Assigner
    References
    Impacted products
    Vendor Product Version
    airlinklabs daemon Affected: = 1.0.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-57802",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-25T17:51:37.422866Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-25T17:52:01.098Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "daemon",
              "vendor": "airlinklabs",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 1.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Airlink\u0027s Daemon interfaces with Docker and the Panel to provide secure access for controlling instances via the Panel. In version 1.0.0, an attacker with access to the affected container can create symbolic links inside the mounted directory (/app/data). Because the container bind-mounts an arbitrary host path, these symlinks can point to sensitive locations on the host filesystem. When the application or other processes follow these symlinks, the attacker can gain unauthorized read access to host files outside the container. This issue has been patched in version 1.0.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-61",
                  "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-25T17:39:06.395Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/airlinklabs/daemon/security/advisories/GHSA-hrfv-wm8p-mg8m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/airlinklabs/daemon/security/advisories/GHSA-hrfv-wm8p-mg8m"
            },
            {
              "name": "https://github.com/airlinklabs/daemon/commit/5e6222dd9eec6d7cb0876b12507e3d6011797693",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlinklabs/daemon/commit/5e6222dd9eec6d7cb0876b12507e3d6011797693"
            }
          ],
          "source": {
            "advisory": "GHSA-hrfv-wm8p-mg8m",
            "discovery": "UNKNOWN"
          },
          "title": "Airlink\u0027s Daemon Symlink Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-57802",
        "datePublished": "2025-08-25T17:39:06.395Z",
        "dateReserved": "2025-08-20T14:30:35.009Z",
        "dateUpdated": "2025-08-25T17:52:01.098Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-57802 (GCVE-0-2025-57802)

    Vulnerability from cvelistv5 – Published: 2025-08-25 17:39 – Updated: 2025-08-25 17:52
    VLAI
    Title
    Airlink's Daemon Symlink Vulnerability
    Summary
    Airlink's Daemon interfaces with Docker and the Panel to provide secure access for controlling instances via the Panel. In version 1.0.0, an attacker with access to the affected container can create symbolic links inside the mounted directory (/app/data). Because the container bind-mounts an arbitrary host path, these symlinks can point to sensitive locations on the host filesystem. When the application or other processes follow these symlinks, the attacker can gain unauthorized read access to host files outside the container. This issue has been patched in version 1.0.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-61 - UNIX Symbolic Link (Symlink) Following
    Assigner
    References
    Impacted products
    Vendor Product Version
    airlinklabs daemon Affected: = 1.0.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-57802",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-25T17:51:37.422866Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-25T17:52:01.098Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "daemon",
              "vendor": "airlinklabs",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 1.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Airlink\u0027s Daemon interfaces with Docker and the Panel to provide secure access for controlling instances via the Panel. In version 1.0.0, an attacker with access to the affected container can create symbolic links inside the mounted directory (/app/data). Because the container bind-mounts an arbitrary host path, these symlinks can point to sensitive locations on the host filesystem. When the application or other processes follow these symlinks, the attacker can gain unauthorized read access to host files outside the container. This issue has been patched in version 1.0.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-61",
                  "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-25T17:39:06.395Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/airlinklabs/daemon/security/advisories/GHSA-hrfv-wm8p-mg8m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/airlinklabs/daemon/security/advisories/GHSA-hrfv-wm8p-mg8m"
            },
            {
              "name": "https://github.com/airlinklabs/daemon/commit/5e6222dd9eec6d7cb0876b12507e3d6011797693",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/airlinklabs/daemon/commit/5e6222dd9eec6d7cb0876b12507e3d6011797693"
            }
          ],
          "source": {
            "advisory": "GHSA-hrfv-wm8p-mg8m",
            "discovery": "UNKNOWN"
          },
          "title": "Airlink\u0027s Daemon Symlink Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-57802",
        "datePublished": "2025-08-25T17:39:06.395Z",
        "dateReserved": "2025-08-20T14:30:35.009Z",
        "dateUpdated": "2025-08-25T17:52:01.098Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }