CVE-2025-61873 — request-tracker4 - security update · VulnScope

CVE-2025-61873

request-tracker4 - security update

2.6

LOW

CVSS 3.1

EPSS 0.01%

Description

Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.

How to fix CVE-2025-61873

To remediate CVE-2025-61873, upgrade the affected package to a fixed version below.

Debian/request-tracker4—upgrade to 4.4.4+dfsg-2+deb11u5 or later
Debian/request-tracker4—upgrade to 4.4.4+dfsg-2+deb11u5 or later
—upgrade to 4.4.6+dfsg-1.1+deb12u3 or later
—upgrade to 5.0.3+dfsg-3~deb12u4 or later
—upgrade to 5.0.3+dfsg-3~deb12u4 or later

Is CVE-2025-61873 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

from 0, < 4.4.4+dfsg-2+deb11u5
from 0, < 4.4.4+dfsg-2+deb11u5
from 0, < 4.4.6+dfsg-1.1+deb12u3
from 0, < 5.0.3+dfsg-3~deb12u4
from 0, < 5.0.3+dfsg-3~deb12u4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW2.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-61873