Path Traversal: '\..\filename'
CVE-2025-12790
Summary
A flaw was found in Rubygem MQTT. In versions through 0.6.0, by default, the package did not have hostname validation, resulting in a possible Man-In-The-Middle (MITM) attack.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-29 - Path Traversal: '\..\filename'
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.
References
Advisory Timeline
- Published
