CVE-2025-58060

NameCVE-2025-58060
DescriptionOpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, when the `AuthType` is set to anything but `Basic`, if the request contains an `Authorization: Basic ...` header, the password is not checked. This results in authentication bypass. Any configuration that allows an `AuthType` that is not `Basic` is affected. Version 2.4.13 fixes the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4298-1, DSA-5998-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cups (PTS)bullseye2.3.3op2-3+deb11u8vulnerable
bullseye (security)2.3.3op2-3+deb11u10fixed
bookworm2.4.2-3+deb12u8vulnerable
bookworm (security)2.4.2-3+deb12u9fixed
trixie (security)2.4.10-3+deb13u1fixed
forky, trixie2.4.10-3vulnerable
sid2.4.10-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cupssourcebullseye2.3.3op2-3+deb11u10DLA-4298-1
cupssourcebookworm2.4.2-3+deb12u9DSA-5998-1
cupssourcetrixie2.4.10-3+deb13u1DSA-5998-1
cupssource(unstable)2.4.10-4

Notes

https://www.openwall.com/lists/oss-security/2025/09/11/1
Fixed by: https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221 (v2.4.13)
Search for package or bug name: Reporting problems