SCA: security update for datasette (GHSA-w832-gg5g-x44m)

medium Tenable Cloud Security Plugin ID 435954

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Datasette is an open source multi-tool for exploring and publishing data. In versions 0.65.1 and below and
1.0a0 through 1.0a19, deployed instances of Datasette include an open redirect vulnerability. Hits to the
path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to
https://example.com/foo/bar. This problem has been patched in both Datasette 0.65.2 and 1.0a21. To
workaround this issue, if Datasette is running behind a proxy, that proxy could be configured to replace
// with / in incoming request URLs. (CVE-2025-64481)

See Also

https://github.com/advisories/GHSA-w832-gg5g-x44m

Plugin Details

Severity: Medium

ID: 435954

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 11/7/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.95

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-64481

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/6/2025

Vulnerability Publication Date: 11/6/2025

Reference Information

CVE: CVE-2025-64481

cwe: CWE-601