CVE-2025-10158 | THREATINT

Description

A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.

PUBLISHED Reserved 2025-09-09 | Published 2025-11-18 | Updated 2025-11-19 | Assigner rapid7

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-129 Improper Validation of Array Index

Product status

Default status

unaffected

Any version

affected

Timeline

2025-03-19:	Rapid7 makes initial outreach to rsync maintainers
2025-03-19:	Rsync maintainers confirm outreach
2025-03-20:	Rapid7 provides rsync maintainers a technical writeup and PoC to reproduce the issue
2025-04-02:	Rapid7 requests confirmation of findings
2025-04-06:	Rsync maintainers indicate more time is needed
2025-04-16:	Rsync maintainers reproduce the issue and dispute its security impact due to uncertainty around viability of heap manipulation during exploitation
2025-04-17:	Rapid7 indicates manipulating the heap is nuanced and CVE assignment is both prudent and best practice in this instance
2025-05-07:	Rapid7 requests an update
2025-05-12:	Rsync maintainers indicate a pull request to fix the issue is forthcoming
2025-05-28:	Rapid7 requests an update
2025-06-17:	Rapid7 requests an update
2025-08-18:	Rapid7 requests an update
2025-08-23:	Rsync maintainers indicate a pull request to remediate the issue has been made and a feature release is forthcoming
2025-09-02:	Rapid7 indicates intention to assign a CVE and perform a coordinated disclosure with the rsync maintainers upon the upcoming feature release
2025-09-09:	Rapid7 provides rsync maintainers a reserved CVE identifier and requests the date for the expected feature release
2025-11-11:	Rapid7 indicates intention to publish the CVE record on November 18, 2025.
2025-11-18:	This disclosure

Credits

Calum Hutton finder

References

github.com/...ommit/797e17fc4a6f15e3b1756538a9f812b63942686f patch

attackerkb.com/...ments/fbacb2a6-d1cd-4011-bb3a-f06b1c8306b1 technical-description

cve.org (CVE-2025-10158)

nvd.nist.gov (CVE-2025-10158)

Download JSON