CVE-2025-67819 is a vulnerability identified in Weaviate OSS, an open-source vector search engine, affecting versions prior to 1.33.4. The root cause is a lack of proper validation of the fileName field in the transfer logic, specifically within the GetFile method. This flaw can be exploited when a shard is in the "Pause file activity" state and the FileReplicationService is accessible. An attacker who can invoke the GetFile method under these conditions can perform a directory traversal attack (CWE-22), enabling them to read arbitrary files that the service process has access to. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), but demands high privileges (PR:H) and no user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects confidentiality (C:H) without impacting integrity or availability. Although no public exploits are currently known, the vulnerability poses a risk of sensitive data exposure if exploited. The absence of patch links suggests that a fix may be forthcoming or that users should upgrade to version 1.33.4 or later where the issue is resolved.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information stored or processed by Weaviate OSS instances. Since the exploit requires high privileges and access to the FileReplicationService, insider threats or compromised accounts pose the greatest risk. Exposure of confidential files could impact data privacy compliance, including GDPR obligations, potentially resulting in regulatory penalties and reputational damage. Organizations relying on Weaviate for critical data indexing or search functionalities may face operational risks if sensitive internal files are leaked. The medium severity rating reflects the limited attack surface due to required privileges, but the potential confidentiality breach remains significant, especially for sectors handling personal or proprietary data such as finance, healthcare, and government agencies within Europe.

European organizations should implement the following specific mitigations: 1) Upgrade Weaviate OSS to version 1.33.4 or later as soon as the patch is available to ensure the vulnerability is addressed. 2) Restrict network access to the FileReplicationService to trusted hosts only, using firewall rules or network segmentation to minimize exposure. 3) Enforce strict authentication and authorization controls to limit who can invoke the GetFile method, ensuring only necessary high-privilege users have access. 4) Implement input validation and sanitization on the fileName parameter at the application level to prevent directory traversal attempts. 5) Monitor logs for unusual GetFile method calls or access patterns during shard pause states to detect potential exploitation attempts. 6) Conduct regular security audits and penetration tests focusing on Weaviate deployments to identify and remediate similar issues proactively.