CVE-2025-68435

CRITICAL EPSS 28.2%
Published Dec 17, 20256mo ago · Modified Jun 17, 20262w ago
9.1 CVSS 3.1
Critical
Find Similar
Published Dec 17, 2025 6mo ago
Last Modified Jun 17, 2026 2w ago

Description

Zerobyte is a backup automation tool Zerobyte versions prior to 0.18.5 and 0.19.0 contain an authentication bypass vulnerability where authentication middleware is not properly applied to API endpoints. This results in certain API endpoints being accessible without valid session credentials. This is dangerous for those who have exposed Zerobyte to be used outside of their internal network. A fix has been applied in both version 0.19.0 and 0.18.5. If immediate upgrade is not possible, restrict network access to the Zerobyte instance to trusted networks only using firewall rules or network segmentation. This is only a temporary mitigation; upgrading is strongly recommended.

CVSS Details

Base Score
9.1
Exploitability
3.9
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
28.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-305

Affected Products 2

VendorProductVersionRange
nicotsxzerobyte* <0.18.5
nicotsxzerobyte0.19.0any

References 3

  • github.com https://github.com/nicotsx/zerobyte/commit/13e080a18967705bd2b4e110e5f7693fdca1c692
    Patch
  • github.com https://github.com/nicotsx/zerobyte/issues/161
    Issue Tracking
  • github.com https://github.com/nicotsx/zerobyte/security/advisories/GHSA-x539-c98q-38gv
    MitigationPatchVendor Advisory

Remediation

  • github.com https://github.com/nicotsx/zerobyte/commit/13e080a18967705bd2b4e110e5f7693fdca1c692
    Patch
  • github.com https://github.com/nicotsx/zerobyte/security/advisories/GHSA-x539-c98q-38gv
    MitigationPatchVendor Advisory