CVE-2025-27590: Oxidized Web RANCID migration page allows unauthenticated user to gain control over Linux user account

March 3, 2025

In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web.

References

github.com/advisories/GHSA-jx6p-9c26-g373
github.com/ytti/oxidized-web
github.com/ytti/oxidized-web/commit/a5220a0ddc57b85cd122bffee228d3ed4901668e
github.com/ytti/oxidized-web/releases/tag/0.15.0
nvd.nist.gov/vuln/detail/CVE-2025-27590

Detect and mitigate CVE-2025-27590 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →