CVE-2025-54071

CRITICAL EPSS 47.1%

Published Jul 21, 202511mo ago · Modified Jun 17, 20261w ago

9.4 CVSS 4.0

Critical

Published Jul 21, 2025 11mo ago

Last Modified Jun 17, 2026 1w ago

Description

RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. In versions 4.0.0-beta.3 and below, an authenticated arbitrary file write vulnerability exists in the /api/saves endpoint. This can lead to Remote Code Execution on the system. The vulnerability permits arbitrary file write operations, allowing attackers to create or modify files at any filesystem location with user-supplied content. A user with viewer role or Scope.ASSETS_WRITE permission or above is required to pass authentication checks. The vulnerability is fixed in version 4.0.0-beta.4.

CVSS Details

Base Score

9.4

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

47.1% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt

References 2

github.com https://github.com/rommapp/romm/commit/89248d03805e5fabca78443dd202ff32e0b4d9f3
github.com https://github.com/rommapp/romm/security/advisories/GHSA-fgxf-hggc-qqmq

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.