Cybersecurity Vulnerabilities

CVE-2025-13566: Unveiling a Double Free Vulnerability in nnn File Manager

November 23, 2025 - By 

Published: 2025-11-23

Overview

CVE-2025-13566 describes a low-severity double free vulnerability found in the nnn file manager, specifically in versions up to 5.1. This vulnerability occurs in the show_content_in_floating_window/run_cmd_as_plugin function within the nnn/src/nnn.c file. A successful exploit could potentially lead to denial of service or other unexpected behavior.

Technical Details

The vulnerability stems from a double free condition within the identified function. A double free occurs when memory that has already been freed is freed again. This can corrupt the memory management structures, leading to unpredictable program behavior. The specific code affected is located in the nnn/src/nnn.c file, within the show_content_in_floating_window/run_cmd_as_plugin function.

The patch addressing this issue is identified by the commit hash 2f07ccdf21e705377862e5f9dfa31e1694979ac7.

CVSS Analysis

The vulnerability has a CVSS score of 3.3, indicating a LOW severity. This is likely due to the requirement for local access to trigger the vulnerability. Key CVSS metrics include:

  • CVSS Score: 3.3
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Possible Impact

While the CVSS score is low, a successful exploitation of this double free vulnerability could lead to:

  • Denial of Service (DoS): The most likely outcome is a crash of the nnn application.
  • Unpredictable Behavior: Memory corruption can lead to unexpected program behavior, although the likelihood of this is low given the local attack vector and complexity.

Because this is a local exploit, the scope of potential damage is limited to the user’s environment.

Mitigation or Patch Steps

The recommended mitigation is to apply the patch identified by commit hash 2f07ccdf21e705377862e5f9dfa31e1694979ac7. Users can either manually apply the patch or upgrade to a version of nnn that incorporates the fix. Consider updating to the latest version of nnn to ensure you have the most up-to-date security fixes.

To apply the patch manually:

  1. Download the patch from the provided commit link.
  2. Apply the patch to your local nnn source code.
  3. Recompile and reinstall nnn.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *