| Date | 2025-09-18 |
| Severity | reported "critical", BlueSpice assessment: low |
| Affected | Services in current LTS version 5.1 |
| Fixed in | fix not yet available |
| CVE | CVE-2025-54988, CVE-2025-7783, CVE-2025-58050, CVE-2025-49796 |
Problem
- Service
bluespice/search- CVE-2025-54988 - Service
bluespice/formula- CVE-2025-7783/ - Service
bluespice/wiki- PCRE: CVE-2025-58050
- libxml: CVE-2025-49794 and CVE-2025-49796
Impact assessment
- Service
bluespice/search- The issues has already been fixed in the upstream repository, but there was no official release yet
- A manipulated PDF file needs to be uploaded to the wiki, which usually requires an authenticated user context. The service runs only in the background and can not be accessed from outside the virtual network. It has limited access to the host system.
- Service
bluespice/formula- Caused by a dependency of coveralls
- Not used production code
- Service
bluespice/wiki- No direct usage of those libraries
- Only accessed via PHP
- Main impacts are potential information disclose and denial-of-service
- No critical information can be disclosed
Solution
To mitigate CVE-2025-54988 one can make sure the service has no access to the internet.
Besides this, there is currently no solution to those issues. Once the upstream vendors release fixed packages, the next patchlevel release of BlueSpice will contain them.
