Two serious vulnerabilities have been discovered in the Linux Common Unix Printing System (CUPS), exposing millions of systems to remote denial-of-service attacks and authentication bypass vulnerabilities.
These vulnerabilities are tracked as CVE-2025-58364 and CVE-2025-58060, affecting the core printing infrastructure used in nearly all Linux distributions, posing a significant risk to network security.
Remote DoS Vulnerability
The first vulnerability, CVE-2025-58364, arises from unsafe deserialization and validation of printer attributes in the libcups library.
This medium-severity flaw allows attackers to trigger a null dereference through carefully crafted printer attribute responses, leading to crashes of systems on the local network.
The vulnerability manifests in the ipp_read_io() function when handling IPP_OP_GET_PRINTER_ATTRIBUTES requests.
Security researchers demonstrated that the combination of ippNewRequest(), cupsDoRequest(), and ippValidateAttributes() functions creates a dangerous code path where malformed responses can lead to a null pointer dereference in the loop for (ptr = attr->values[i].string.text; *ptr; ptr ++).
The attack vector requires adjacent network access, allowing exploitation within the local subnet where CUPS services automatically discover printers.
Systems running the CUPS browsing service are particularly vulnerable, as this service actively listens for printer announcements on the network.
This vulnerability affects all CUPS versions below 2.4.12, with no patches currently available. The vulnerability was discovered and reported by security researcher SilverPlate3.
Authentication Bypass Vulnerability
CVE-2025-58060 represents a high-severity authentication bypass vulnerability affecting CUPS configurations using AuthType Negotiate or any non-basic authentication method.
This vulnerability allows attackers to bypass password verification by sending an Authorization: Basic header when the system requires a different authentication type.
The flaw exists in the cupsdAuthorize() function within the scheduler/auth.c file. When an administrator configures DefaultAuthType to anything other than basic authentication, the system incorrectly skips password verification if the incoming request contains a basic authentication header.
Attackers can exploit this by sending a request with Authorization: Basic $(echo -n admin:x | base64), where the password can be any arbitrary string.
This bypass grants unauthorized access to CUPS administrative functions, potentially allowing attackers to modify printer configurations, access print queues, or execute administrative commands.
The vulnerability affects systems where administrators have implemented Kerberos, LDAP, or other enterprise authentication mechanisms to secure their printing infrastructure.
This vulnerability was identified and reported by researcher hvenev-insait.
Please open in the WeChat client
Mitigation Measures
Both vulnerabilities expose critical weaknesses in deploying CUPS across enterprise and home networks.
The DoS vulnerability could disrupt printing services across the network, while the authentication bypass undermines administrative access control.
Organizations using CUPS in production environments should immediately assess their exposure and implement network-level protections.
Network administrators should restrict access to IPP port 631 through firewalls and disable CUPS browsing service on systems where automatic printer discovery is not needed.
For the authentication bypass vulnerability, temporarily reverting to AuthType Basic with strong passwords can provide immediate protection until patches are available.
Organizations should monitor security updates in the OpenPrinting project repository and apply patches immediately upon release.