CVE-2025-68435

Published: Dec 17, 2025

Modified: Dec 18, 2025

PUBLISHED

CVSS v3.1

9.1

CRITICAL

Description

Zerobyte is a backup automation tool Zerobyte versions prior to 0.18.5 and 0.19.0 contain an authentication bypass vulnerability where authentication middleware is not properly applied to API endpoints. This results in certain API endpoints being accessible without valid session credentials. This is dangerous for those who have exposed Zerobyte to be used outside of their internal network. A fix has been applied in both version 0.19.0 and 0.18.5. If immediate upgrade is not possible, restrict network access to the Zerobyte instance to trusted networks only using firewall rules or network segmentation. This is only a temporary mitigation; upgrading is strongly recommended.

Vendor	Product	Versions
nicotsx	zerobyte	affected `< 0.18.5`

Weaknesses (CWE)

CWE-305

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/nicotsx/zerobyte/security/advisories/GHSA-x539-c98q-38gv

x_refsource_CONFIRM

https://github.com/nicotsx/zerobyte/issues/161

x_refsource_MISC

https://github.com/nicotsx/zerobyte/commit/13e080a18967705bd2b4e110e5f7693fdca1c692

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-68435

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References