{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0.1.3"
              },
              {
                "fixed": "0.1.8"
              }
            ]
          },
          "events": [
            {
              "introduced": "0269a5bd7e13f051d16ba70ef4f716e0d28808fb"
            },
            {
              "fixed": "efb5afd2f15bd155d27c8aa8717dd5ce25e0b28c"
            },
            {
              "fixed": "2444419b1818c2d6917fc3394c947fb3276e9d59"
            }
          ],
          "repo": "https://github.com/google/osv-scalibr",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.",
  "id": "CVE-2025-5981",
  "modified": "2026-03-10T21:48:09.342021957Z",
  "published": "2025-06-18T09:15:47.660Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/google/osv-scalibr/releases/tag/v0.1.8"
    },
    {
      "type": "FIX",
      "url": "https://github.com/google/osv-scalibr/commit/2444419b1818c2d6917fc3394c947fb3276e9d59"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}