CVE-2024-25711 is a directory traversal vulnerability identified in diffoscope, a tool used for in-depth comparison of files, archives, and directories. The flaw exists in versions prior to 256 and stems from the handling of embedded filenames within GPG files. Specifically, diffoscope relies on the gpg --use-embedded-filenames option, which is trusted without proper validation. An attacker can embed filenames containing directory traversal sequences (e.g., ../) inside a crafted GPG file. When diffoscope processes this file, it inadvertently accesses and discloses contents of arbitrary files on the system, such as ~/.ssh/id_rsa private keys or other sensitive data. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). Exploitation requires local access with low privileges (AV:L), low attack complexity (AC:L), and privileges (PR:L), but no user interaction (UI:N). The impact on confidentiality and integrity is high, as sensitive files can be read and potentially manipulated. Availability is not affected. No patches or exploits are currently publicly available, but the risk is significant given the sensitive nature of data exposed. Diffoscope is commonly used in software development, packaging, and security auditing, making this vulnerability relevant to organizations relying on these workflows.

For European organizations, the primary impact is the potential unauthorized disclosure of sensitive files, including private cryptographic keys and configuration files, which could lead to further compromise of systems and data. This is particularly critical for organizations involved in software development, open-source projects, and security auditing where diffoscope is used to verify software integrity. Exposure of private keys could enable attackers to impersonate users or escalate privileges. The integrity of software verification processes may also be undermined, affecting trust in software supply chains. While the vulnerability requires local access, insider threats or compromised accounts could exploit it to escalate data exposure. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in environments with lax access controls. European entities with stringent data protection regulations (e.g., GDPR) face additional compliance risks if sensitive data is leaked.

Organizations should immediately upgrade diffoscope to version 256 or later once available, as this will include fixes for the directory traversal vulnerability. Until patches are applied, restrict access to systems running diffoscope to trusted users only and enforce strict local access controls. Avoid processing untrusted or unauthenticated GPG files with diffoscope. Implement monitoring and auditing of diffoscope usage to detect anomalous file access patterns. Consider sandboxing diffoscope executions to limit filesystem exposure. Educate developers and security teams about the risks of trusting embedded filenames in GPG files. Review and rotate any potentially exposed cryptographic keys or credentials as a precaution. Incorporate this vulnerability into supply chain security assessments and incident response plans.