CVE-2025-6297 Affecting dpkg package, versions <1.22.21
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIAN13-DPKG-10566854
- published1 Jul 2025
- disclosed1 Jul 2025
Introduced: 1 Jul 2025
NewCVE-2025-6297 (opens in a new tab)How to fix?
Upgrade Debian:13 dpkg to version 1.22.21 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream dpkg package and not the dpkg package as distributed by Debian.
See How to fix? for Debian:13 relevant fixed versions and status.
It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.