CVE-2025-43715

NameCVE-2025-43715
DescriptionNullsoft Scriptable Install System (NSIS) before 3.11 on Windows allows local users to escalate privileges to SYSTEM during an installation, because the temporary plugins directory is created under %WINDIR%\temp and unprivileged users can place a crafted executable file by winning a race condition. This occurs because EW_CREATEDIR does not always set the CreateRestrictedDirectory error flag.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1103524

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nsis (PTS)bullseye3.06.1-1vulnerable
bullseye (security)3.06.1-1+deb11u1vulnerable
bookworm3.08-3+deb12u1vulnerable
sid, trixie3.11-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nsissource(unstable)3.11-11103524

Notes

[bookworm] - nsis <no-dsa> (Minor issue)
https://sourceforge.net/p/nsis/bugs/1315/
https://nsis.sourceforge.io/Docs/AppendixF.html#v3.11-rl
Fixed by: https://sourceforge.net/p/nsis/code/7444/
Search for package or bug name: Reporting problems