Vulnerability Description
RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the `/api/raw` endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official implementation, may be affected. This allows the leakage of passwords and users that may be stored on the system. Versions 3.10.3 and 4.0.0-beta.3 contain a patch.
Related Weaknesses (CWE)
References
- https://github.com/rommapp/romm/blob/4.0.0-beta.2/backend/endpoints/raw.py#L31
- https://github.com/rommapp/romm/commit/7c94cb05e74ddb6a6af7b82320686c01754e9966
- https://github.com/rommapp/romm/commit/baa1a9759079c36e36a9f10c920c46b57d0b6151
- https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3
- https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3
FAQ
What is CVE-2025-53908?
CVE-2025-53908 is a documented vulnerability. RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the `/api/raw` endpoint. Anyone running the latest version...
How severe is CVE-2025-53908?
CVSS scoring is not yet available for CVE-2025-53908. Check NVD for updates.
Is there a patch for CVE-2025-53908?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.