Overview
CVE-2025-13425 describes a denial-of-service (DoS) vulnerability found in OSV-SCALIBR. This vulnerability arises from a bug in the filesystem traversal fallback path. Specifically, when the ReadDir function returns nil for an empty directory, the fs/diriterate/diriterate.go:Next() function incorrectly indexes an empty slice, leading to an “index out of range” panic. This panic results in the application crashing, effectively causing a denial of service.
Technical Details
The root cause of the vulnerability lies in how OSV-SCALIBR handles empty directories during filesystem traversal. The diriterate.go file, specifically the Next() function, doesn’t properly account for the scenario where ReadDir returns nil. In such cases, the code attempts to access an element within an empty slice, triggering a panic that terminates the application. The issue manifests in the filesystem traversal fallback path, indicating it might be encountered during specific, less common directory access scenarios. This makes reproducing the vulnerability potentially dependent on the structure and content of the analyzed filesystem.
CVSS Analysis
Currently, a CVSS score for CVE-2025-13425 is not available (N/A). The severity is also listed as N/A. While the CVSS score is missing, the vulnerability clearly results in a denial of service. Without further information, it’s difficult to determine the exploitability metric definitively. However, assuming the vulnerability is remotely triggerable, the CVSS score would likely be in the medium to high range. We will update this analysis when an official CVSS score is published.
Possible Impact
The impact of CVE-2025-13425 is significant, as it can lead to a complete denial of service. An attacker exploiting this vulnerability could cause OSV-SCALIBR to crash, potentially disrupting critical security analysis workflows or automated vulnerability scanning processes. The vulnerability can be triggered if the OSV-SCALIBR is processing a directory structure containing empty directories while using the vulnerable filesystem traversal logic. The exact conditions required to trigger the vulnerability need further investigation, but the consequence is a guaranteed application crash.
Mitigation or Patch Steps
The recommended mitigation is to apply the patch provided in the following commit:
This commit addresses the incorrect slice indexing and prevents the panic from occurring when encountering empty directories. Users of OSV-SCALIBR should update to a version containing this fix as soon as possible to avoid potential denial-of-service attacks.
