CVE-2025-47229 is a vulnerability identified in GNU PSPP, an open-source statistical analysis software often used as a free alternative to proprietary tools like SPSS. The issue resides in the libpspp-core.a library, specifically affecting versions through 2.0.1. The vulnerability is classified as a reachable assertion failure (CWE-617), which occurs when crafted input data triggers an assertion failure in the var_set_leave_quiet function. This function is called via a code path from src/data/dictionary.c into src/data/variable.c. The assertion failure causes the application to exit unexpectedly, resulting in a denial of service (DoS). The CVSS 3.1 base score is 2.9, indicating a low severity level. The attack vector is local (AV:L), requiring high attack complexity (AC:H), no privileges (PR:N), and no user interaction (UI:N). The impact is limited to availability (A:L) with no confidentiality or integrity impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability does not allow remote exploitation and requires local access, making it less critical but still a concern for environments where PSPP is used for statistical data processing and availability is important.

For European organizations, the impact of this vulnerability is primarily a potential denial of service affecting availability of the PSPP application. Since PSPP is used in academic, research, and some governmental statistical analysis contexts, an attacker with local access could cause the software to crash, interrupting data analysis workflows. This could delay research projects, data reporting, or decision-making processes that rely on PSPP. However, the low CVSS score and requirement for local access limit the threat's scope. Confidentiality and integrity of data are not affected, so sensitive data exposure or manipulation is not a concern here. Organizations with automated or batch processing using PSPP might experience disruptions if crafted input data is processed without validation. Overall, the impact is operational disruption rather than data breach or system compromise.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Restrict local access to systems running PSPP to trusted users only, minimizing the risk of malicious input data being introduced. 2) Implement input validation and sanitization on data files before processing them with PSPP to prevent crafted inputs that trigger the assertion failure. 3) Monitor PSPP application logs and system stability to detect unexpected crashes or assertion failures promptly. 4) Isolate PSPP processing environments, especially if used in multi-user or shared systems, to contain potential denial of service impacts. 5) Stay updated with GNU PSPP releases and apply patches as soon as they become available, even though no patch links are currently provided. 6) Consider alternative statistical tools or additional redundancy in workflows to maintain availability during potential PSPP downtime. These steps go beyond generic advice by focusing on access control, input validation, monitoring, and operational continuity specific to PSPP usage contexts.