Main Vulnerability Database SB2025030778

SB2025030778 - Insufficient verification of data authenticity in Cryptomator

Published: March 7, 2025 Updated: April 20, 2026

Security Bulletin ID SB2025030778

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Insufficient verification of data authenticity (CVE-ID: N/A)

The vulnerability allows a local user to modify protected data.

The vulnerability exists due to insufficient data authenticity verification in the encrypted vault format when processing ciphertext files with write access to the vault. A local user can exchange the ciphertext contents of one file with those of another to modify protected data.

The issue stems from file contents not being cryptographically bound to their file paths.

Remediation

Install update from vendor's website.

References

https://github.com/cryptomator/cryptomator/security/advisories/GHSA-qwfw-w5qf-7wcj
https://github.com/advisories/GHSA-qwfw-w5qf-7wcj