CVE-2025-52968
Publication date 23 June 2025
Last updated 20 October 2025
Ubuntu priority
Description
xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| xdg-utils | 25.10 questing |
Vulnerable, fix deferred
|
| 25.04 plucky |
Vulnerable, fix deferred
|
|
| 24.04 LTS noble |
Vulnerable, fix deferred
|
|
| 22.04 LTS jammy |
Vulnerable, fix deferred
|
|
| 20.04 LTS focal |
Vulnerable, fix deferred
|
|
| 18.04 LTS bionic |
Vulnerable, fix deferred
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
Notes
mdeslaur
as of 2025-10-20, there is no upstream fix for this issue. The CVE may be disputed as this is more of a hardening measure than an actual flaw.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
2.7 · Low
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N |