CVE-2025-55014

NameCVE-2025-55014
DescriptionThe YouDao plugin for StarDict, as used in stardict 3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11 selection to the dict.youdao.com and dict.cn servers via cleartext HTTP.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1110370

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
stardict (PTS)bookworm3.0.7+git20220909+dfsg-4vulnerable
trixie3.0.7+git20220909+dfsg-6vulnerable
forky, sid3.0.7+git20220909+dfsg-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
stardictsource(unstable)3.0.7+git20220909+dfsg-81110370

Notes

[trixie] - stardict <no-dsa> (Minor issue)
[bookworm] - stardict <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2025/08/04/1
https://lists.debian.org/debian-user/2025/08/msg00076.html
3.0.7+git20220909+dfsg-8 uploaded to unstable removes the stardict_youdaodict.so
plugin from stardict-plugin package, consider this version as the fixed version.

Search for package or bug name: Reporting problems