{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67858", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "state": "PUBLISHED", "assignerShortName": "suse", "dateReserved": "2025-12-12T14:23:59.780Z", "datePublished": "2026-01-08T15:23:46.487Z", "dateUpdated": "2026-01-08T15:39:49.947Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "Foomuuri", "product": "Foomuuri", "vendor": "https://github.com/FoobarOy/", "versions": [{"lessThan": "0.31", "status": "affected", "version": "?", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Matthias Gerstner of SUSE"}], "datePublic": "2026-01-07T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`.<br><p>This issue affects Foomuuri: from ? before 0.31.</p>"}], "value": "A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`.\nThis issue affects Foomuuri: from ? before 0.31."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-01-08T15:23:46.487Z"}, "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67858"}, {"url": "https://security.opensuse.org/2026/01/07/foomuuri-lack-of-dbus-authorization.html"}], "source": {"discovery": "INTERNAL"}, "title": "A crafted \"interface\" input parameter can lead to integrity loss of the firewall configuration", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T15:39:30.668665Z", "id": "CVE-2025-67858", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:39:49.947Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67858", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T15:39:30.668665Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:39:42.168Z"}}], "cna": {"title": "A crafted \"interface\" input parameter can lead to integrity loss of the firewall configuration", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Matthias Gerstner of SUSE"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "https://github.com/FoobarOy/", "product": "Foomuuri", "versions": [{"status": "affected", "version": "?", "lessThan": "0.31", "versionType": "semver"}], "packageName": "Foomuuri", "defaultStatus": "unaffected"}], "datePublic": "2026-01-07T11:00:00.000Z", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67858"}, {"url": "https://security.opensuse.org/2026/01/07/foomuuri-lack-of-dbus-authorization.html"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`.\nThis issue affects Foomuuri: from ? before 0.31.", "supportingMedia": [{"type": "text/html", "value": "A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`.<br><p>This issue affects Foomuuri: from ? before 0.31.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-01-08T15:23:46.487Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67858", "state": "PUBLISHED", "dateUpdated": "2026-01-08T15:39:49.947Z", "dateReserved": "2025-12-12T14:23:59.780Z", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "datePublished": "2026-01-08T15:23:46.487Z", "assignerShortName": "suse"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`.\nThis issue affects Foomuuri: from ? before 0.31."}], "id": "CVE-2025-67858", "lastModified": "2026-01-08T18:08:18.457", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2026-01-08T16:15:47.003", "references": [{"source": "meissner@suse.de", "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67858"}, {"source": "meissner@suse.de", "url": "https://security.opensuse.org/2026/01/07/foomuuri-lack-of-dbus-authorization.html"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "meissner@suse.de", "type": "Primary"}]}

{"bugzilla": {"description": "Foomuuri: Foomuuri: Integrity loss of firewall configuration via improper neutralization of argument delimiters", "id": "2428023", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428023"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-88", "details": ["A flaw was found in Foomuuri. A local user can exploit this vulnerability by manipulating the JSON configuration passed to `nft`. This improper neutralization of argument delimiters can lead to the integrity loss of the firewall configuration or other unspecified impacts."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, if the Foomuuri package is not essential for system operation, consider removing it. For systems where Foomuuri is required, ensure that only trusted administrators have local access, as exploitation requires local interaction to manipulate firewall configurations."}, "name": "CVE-2025-67858", "public_date": "2026-01-08T15:23:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-67858\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-67858\nhttps://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67858\nhttps://security.opensuse.org/2026/01/07/foomuuri-lack-of-dbus-authorization.html"], "statement": "This vulnerability is rated Important for Red Hat's Community Projects because a local user can exploit an improper neutralization of argument delimiters in Foomuuri. This flaw allows manipulation of the JSON configuration passed to `nft`, leading to integrity loss of the firewall configuration. This could result in unauthorized network access or other unspecified impacts on affected systems running Foomuuri.", "threat_severity": "Important"}