CVE-2025-13425

LOW

OSV-SCALIBR < 0.3.4 - Denial of Service via Filesystem Traversal Fallback Path

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-13425. PoCs published by adminlove520, 0xXA.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2025-13425, a nil pointer dereference vulnerability in osv-scalibr. The exploit involves creating a malicious VMDK file with an empty directory to trigger a segmentation fault during filesystem traversal.

Description

A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) in OSV-SCALIBR.

Exploits (2)

github WORKING POC 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-13425

This repository provides a functional proof-of-concept for CVE-2025-13425, a nil pointer dereference vulnerability in osv-scalibr. The exploit involves creating a malicious VMDK file with an empty directory to trigger a segmentation fault during filesystem traversal.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: osv-scalibr (version not specified)
No auth needed
Prerequisites: osv-scalibr source code · ability to compile the binary · qemu-img for VMDK generation
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by 0xXA · poc
https://github.com/0xXA/google-poc

This PoC demonstrates a nil pointer dereference vulnerability (CVE-2025-13425) in Google's osv-scalibr tool when processing VMDK files containing empty directories. The exploit triggers a segmentation fault by leveraging improper handling of virtual filesystems.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Google osv-scalibr (version not specified, requires patch reversion)
No auth needed
Prerequisites: Access to compile osv-scalibr from source · Ability to apply patches to revert fixes · qemu-img and parted tools for VMDK generation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v4 1.9
EPSS 0.0002
EPSS Percentile 3.9%
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:P

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-476
Status published
Products (2)
google/osv-scalibr 0 - 0.3.4Go
Google/OSV-SCALIBR < 0.3.4
Published Nov 20, 2025
Tracked Since Feb 18, 2026