CVE-2025-67819

Description

An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity" state and the FileReplicationService is reachable can read arbitrary files accessible to the service process.

PUBLISHED Reserved 2025-12-12 | Published 2025-12-12 | Updated 2025-12-12 | Assigner mitre

References

github.com/weaviate/weaviate

weaviate.io/blog/weaviate-security-release-november-2025

cve.org (CVE-2025-67819)

nvd.nist.gov (CVE-2025-67819)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.