CVE-2025-52968

Published: Jun 23, 2025

Modified: Jun 23, 2025

PUBLISHED

CVSS v3.1

2.7

LOW

Description

xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.

Vendor	Product	Versions
freedesktop	xdg-utils	affected `0 - <= 1.2.1`

Weaknesses (CWE)

CWE-420

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

References

https://cgit.freedesktop.org/xdg/xdg-utils/tag/?h=v1.2.1

https://www.openwall.com/lists/oss-security/2025/06/23/1

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-52968

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References