CVE-2025-68435
CRITICAL EPSS 28.2%
Published Dec 17, 20256mo ago · Modified Jun 17, 20262w ago
9.1 CVSS 3.1
Published Dec 17, 2025 6mo ago
Last Modified Jun 17, 2026 2w ago
Description
Zerobyte is a backup automation tool Zerobyte versions prior to 0.18.5 and 0.19.0 contain an authentication bypass vulnerability where authentication middleware is not properly applied to API endpoints. This results in certain API endpoints being accessible without valid session credentials. This is dangerous for those who have exposed Zerobyte to be used outside of their internal network. A fix has been applied in both version 0.19.0 and 0.18.5. If immediate upgrade is not possible, restrict network access to the Zerobyte instance to trusted networks only using firewall rules or network segmentation. This is only a temporary mitigation; upgrading is strongly recommended.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
28.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-305
Affected Products 2
References 3
- github.com https://github.com/nicotsx/zerobyte/commit/13e080a18967705bd2b4e110e5f7693fdca1c692
- github.com https://github.com/nicotsx/zerobyte/issues/161
- github.com https://github.com/nicotsx/zerobyte/security/advisories/GHSA-x539-c98q-38gv
Remediation
- github.com https://github.com/nicotsx/zerobyte/commit/13e080a18967705bd2b4e110e5f7693fdca1c692
- github.com https://github.com/nicotsx/zerobyte/security/advisories/GHSA-x539-c98q-38gv