CVE-2025-65112
Received
Published: 29 Nov 2025, 01:16
Last modified:29 Nov 2025, 01:16
Vulnerability Summary
Overall Risk
Medium Risk
38/100 CVSS Score
9.4 CRITICAL
CVSS v3.1 (SECURITY-ADVISORIES)
EPSS Score
0.07% INFO
0% probability 0.00%
CISA KEV
Not listed
Ransomware
No reports
Exploits
None found
Dark Web
Not detected
PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain attacks. This issue has been patched in version 1.1.3.
Source Identifier: security-advisories@github.com
| CVSS | Source | Severity | Exploit. | Impact | Vector |
|---|---|---|---|---|---|
| v4.0 | n/a | ||||
| v3.1 | security-advisories@github.com | 9.4 CRITICAL | 3.9 | 5.5 | CVSS:3.1/AV:N/AC:L/PR:N/U... |
| v3.0 | n/a | ||||
| v2.0 | n/a | ||||
0.07%
Current Score
0.00%
20%ile
Percentile Rank
0.00%
Loading chart...
Loading chart...
Missing Authentication for Critical Function CWE-306
Description:The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Not listed in CISA Known Exploited Vulnerabilities catalog.
No dark web activity detected for this vulnerability.
No known public exploit code indexed (as of 29 Nov 2025, 01:16).
Exploitation status can change quickly once PoC code appears.
No affected systems information available.
| URL | Tags | Source |
|---|---|---|
| https://github.com/ricardoboss/PubNet/security/advisories/GHSA-pg82-fqrg-q6j5 | - | security-advisories@github.com |