CVE-2025-53513: Juju zip slip vulnerability via authenticated endpoint
(updated )
Any user with a Juju account on a controller can upload a charm to the /charms endpoint. No specific permissions are required - it’s just sufficient for the user to exist in the controller user database. A charm which exploits the zip slip vulnerability may be used to allow such a user to get access to a machine running a unit using the affected charm.
References
- drive.google.com/file/d/1pHRNiaA8LyMVJYwIyTqelsqJ9FmImDf0/view
- github.com/advisories/GHSA-24ch-w38v-xmh8
- github.com/juju/juju
- github.com/juju/juju/blob/3.6/apiserver/apiserver.go
- github.com/juju/juju/blob/3.6/apiserver/apiserver.go
- github.com/juju/juju/blob/3.6/apiserver/apiserver.go
- github.com/juju/juju/commit/6356e984b82a4a7b9771ff5e51e297ad62f3b405
- github.com/juju/juju/commit/ff39557a137c0e95d4cd3553b0f19c859c6f5d8e
- github.com/juju/juju/security/advisories/GHSA-24ch-w38v-xmh8
- nvd.nist.gov/vuln/detail/CVE-2025-53513
- pkg.go.dev/vuln/GO-2025-3804
Code Behaviors & Features
Detect and mitigate CVE-2025-53513 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →