CVE-2025-53964

GoldenDict · GoldenDict

GoldenDict versions 1.5.0 and 1.5.1 contain an exposed dangerous method that allows unauthorized file modification or reading when a user processes a maliciously crafted dictionary file.

Executive summary

GoldenDict versions 1.5.0 and 1.5.1 are susceptible to a critical file manipulation vulnerability that can be triggered by processing a crafted dictionary file.

Vulnerability

The application exposes an insecure method that fails to properly sanitize input when a user searches for terms within a dictionary. An attacker can leverage this to read or modify arbitrary files on the local file system with the permissions of the user running the application.

Business impact

This vulnerability allows for local file system compromise, potentially leading to the theft of sensitive local data or the execution of arbitrary code if system files are modified. Given the CVSS score of 9.6, this poses a substantial risk to the security of the host machine and the data stored therein.

Remediation

Immediate Action: Update to the latest version of GoldenDict and avoid importing dictionaries from untrusted or unverified sources.

Proactive Monitoring: Monitor the application for unexpected file access patterns or unauthorized modifications to sensitive directories.

Compensating Controls: Run the application with the least-privileged user account necessary to perform its functions to restrict the impact of file system access.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Users should immediately update GoldenDict to a version where this dangerous method has been secured or removed. Exercise extreme caution when downloading and using dictionary files from third-party repositories to avoid triggering this vulnerability.