CVE-2025-48464 PUBLISHED

Exposure of Sensitive Information

Assigner: CSA
Reserved: 22.05.2025 Published: 08.10.2025 Updated: 08.10.2025

Successful exploitation of the vulnerability could allow an unauthenticated attacker to gain access to a victim’s Sync account data such as account credentials and email protection information.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS Score: 4.7

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	DuckDuckGo
Product	DuckDuckGo Browser
Versions	Default: unknown Version 5.246.0 and below is affected

Solutions

Users of affected product versions are advised to update to DuckDuckGo version 5.247.0 immediately.

Credits

Leng Kang Hao finder

References

https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-097/
https://tuxplorer.com/posts/dont-leave-me-outdated/

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE