CVE-2025-55194 is a medium-severity vulnerability affecting Part-DB, an open-source inventory management system for electronic components. The vulnerability exists in versions prior to 1.17.3 of the Part-DB-server component. It arises from improper handling of user-uploaded profile pictures with misleading file extensions, such as a file named with a double extension (e.g., .jpg.txt). Authenticated users can exploit this by uploading such a file, which triggers an uncaught exception resulting in a persistent 500 Internal Server Error when attempting to view or edit the affected user’s profile. This error effectively renders the profile inaccessible through the user interface for both the user and administrators, causing a Denial of Service (DoS) condition within the user management interface. The vulnerability is classified under CWE-248 (Uncaught Exception), indicating that the application does not properly handle unexpected input or error conditions. The CVSS v3.1 base score is 5.7, reflecting a medium severity level. The vector indicates the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), requires privileges (PR:L) and user interaction (UI:R), and impacts availability (A:H) without affecting confidentiality or integrity. No known exploits are currently reported in the wild, and the issue has been patched in version 1.17.3 of Part-DB-server. This vulnerability primarily impacts the availability of user profile management functionality, which could disrupt administrative operations and user experience in environments relying on Part-DB for inventory management.

For European organizations using Part-DB, particularly those managing electronic component inventories, this vulnerability could disrupt normal operations by denying access to user profiles within the management interface. This could hinder user administration, delay critical inventory updates, and complicate user support activities. While the vulnerability does not compromise data confidentiality or integrity, the denial of service on user profiles can affect operational continuity and administrative efficiency. Organizations with complex user management needs or those relying heavily on Part-DB for supply chain and inventory accuracy may experience workflow interruptions. Additionally, if attackers exploit this vulnerability at scale, it could lead to broader administrative challenges. However, since exploitation requires authenticated access and user interaction, the risk is somewhat mitigated by internal access controls. The absence of known exploits in the wild reduces immediate threat levels but does not eliminate the risk of targeted attacks.

European organizations should promptly upgrade Part-DB-server to version 1.17.3 or later, where this vulnerability is patched. Until the upgrade is applied, implement strict validation and sanitization of uploaded files at the application or proxy level to reject files with misleading or double extensions. Enforce strong authentication and access controls to limit the number of users who can upload profile pictures. Monitor user profile upload activities for anomalous file extensions or repeated errors indicating exploitation attempts. Additionally, consider implementing application-level exception handling improvements to gracefully manage unexpected file inputs and prevent server errors. Regularly audit user management interfaces for accessibility issues and maintain backups of user profile data to facilitate recovery if profiles become inaccessible. Finally, educate users and administrators about safe file upload practices and the risks of uploading files with suspicious extensions.