CVE-2025-13425 is a vulnerability identified in Google OSV-SCALIBR, a tool used for software vulnerability analysis. The flaw arises in the filesystem traversal fallback mechanism, specifically within the function fs/diriterate/diriterate.go:Next(). When the ReadDir function returns nil—indicating an empty directory—the code erroneously attempts to access an element in an empty slice, leading to an index out of range panic. This causes the application to crash, resulting in a denial of service (DoS) condition. The root cause is a NULL pointer dereference (CWE-476), a common programming error where the code does not properly check for nil or empty values before dereferencing. The vulnerability affects versions of OSV-SCALIBR earlier than 0.3.4. Exploitation requires local privileges (AV:L) and low privileges (PR:L), with no authentication or user interaction needed. The impact is limited to application availability, with no confidentiality or integrity compromise. The CVSS v4.0 score is 1.9, reflecting the low severity and limited attack surface. No patches or exploits are currently publicly available, but updating to version 0.3.4 or later is recommended to resolve the issue.

The primary impact of CVE-2025-13425 is denial of service due to application crashes in OSV-SCALIBR. For European organizations relying on OSV-SCALIBR for vulnerability scanning or software analysis, this could lead to interruptions in security workflows or automated vulnerability assessments. While the vulnerability does not allow for privilege escalation, data leakage, or code execution, repeated crashes could degrade operational efficiency or delay vulnerability management processes. Organizations with automated pipelines integrating OSV-SCALIBR might experience temporary outages or require manual intervention to restart services. Given the local access requirement, remote exploitation is unlikely, reducing the risk of widespread attacks. However, in environments where OSV-SCALIBR is critical, such as security operations centers or software development teams, availability disruptions could indirectly affect security posture and compliance efforts.

To mitigate CVE-2025-13425, organizations should upgrade OSV-SCALIBR to version 0.3.4 or later, where the issue has been addressed. Until the update is applied, it is advisable to implement monitoring for application crashes and automate restarts to minimize downtime. Restrict local access to systems running OSV-SCALIBR to trusted personnel only, reducing the risk of intentional or accidental exploitation. Review and harden user privilege assignments to ensure that only necessary users have access to the tool. Incorporate error handling and input validation in custom scripts or integrations that invoke OSV-SCALIBR to detect and handle empty directories gracefully. Additionally, maintain up-to-date backups of configurations and scan results to prevent data loss during unexpected crashes. Regularly audit and monitor logs for signs of repeated crashes or abnormal behavior related to filesystem traversal operations.