CVE-2025-53964
GoldenDict · GoldenDict
GoldenDict versions 1.5.0 and 1.5.1 contain an exposed dangerous method that allows unauthorized file modification or reading when a user processes a maliciously crafted dictionary file.
Executive summary
GoldenDict versions 1.5.0 and 1.5.1 are susceptible to a critical file manipulation vulnerability that can be triggered by processing a crafted dictionary file.
Vulnerability
The application exposes an insecure method that fails to properly sanitize input when a user searches for terms within a dictionary. An attacker can leverage this to read or modify arbitrary files on the local file system with the permissions of the user running the application.
Business impact
This vulnerability allows for local file system compromise, potentially leading to the theft of sensitive local data or the execution of arbitrary code if system files are modified. Given the CVSS score of 9.6, this poses a substantial risk to the security of the host machine and the data stored therein.
Remediation
Immediate Action: Update to the latest version of GoldenDict and avoid importing dictionaries from untrusted or unverified sources.
Proactive Monitoring: Monitor the application for unexpected file access patterns or unauthorized modifications to sensitive directories.
Compensating Controls: Run the application with the least-privileged user account necessary to perform its functions to restrict the impact of file system access.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Users should immediately update GoldenDict to a version where this dangerous method has been secured or removed. Exercise extreme caution when downloading and using dictionary files from third-party repositories to avoid triggering this vulnerability.