CVE-2025-8454
CRITICALdevscripts - Improper Verification of Cryptographic Signature in uscan
Title source: llmDescription
It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then.
References (1)
Core 1
Core References
Issue Tracking, Mailing List
https://bugs.debian.org/1109251
Scores
CVSS v3
9.8
EPSS
0.0022
EPSS Percentile
12.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-347
Status
published
Products (1)
debian/devscripts
2.25.15
Published
Aug 01, 2025
Tracked Since
Feb 18, 2026