CVE-2025-13947: Webkit: webkitgtk: remote user-assisted information disclosure via file drag-and-drop
A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser.
Other sources
This vulnerability allows a malicious website to read arbitrary local files by abusing the file drag-and-drop mechanism in WebKitGTK. The flaw exists because WebKitGTK does not verify that drag operations originate from outside the browser before granting access to the referenced file path. A crafted webpage can prompt the user to perform an innocent-looking drag action that unintentionally exposes sensitive file content accessible to the user account. This results in a remote, user-assisted information disclosure vulnerability that can reveal any file the user is permitted to read.
— Red Hat
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2025-13947?
CVE-2025-13947 is categorized as a moderate severity vulnerability.
What types of systems are affected by CVE-2025-13947?
CVE-2025-13947 affects WebKitGTK running on various systems that utilize its web rendering capabilities.
How do I fix CVE-2025-13947?
To fix CVE-2025-13947, update to the latest available version of WebKitGTK that addresses this vulnerability.
Can CVE-2025-13947 be exploited remotely?
Yes, CVE-2025-13947 can be exploited remotely if a user is tricked into performing specific actions.
What is the main risk associated with CVE-2025-13947?
The main risk of CVE-2025-13947 is the potential for information disclosure, revealing files to an attacker.