CVE-2025-52968

Name
CVE-2025-52968
Description
xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.
NVD Severity
low
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
cve@mitre.org https://cgit.freedesktop.org/xdg/xdg-utils/tag/?h=v1.2.1
cve@mitre.org https://www.openwall.com/lists/oss-security/2025/06/23/1

Match rules

CPE URI Source package Min version Max version
xdg-utils >= 0 <= 1.2.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
xdg-utils edge-community 1.2.1-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
xdg-utils 3.22-community 1.2.1-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable