How ZeroPath Works
Back to Blog

OpenPrinting CUPS CVE-2025-58060: Brief Summary of an Authentication Bypass Vulnerability

This post provides a brief summary of CVE-2025-58060, an authentication bypass vulnerability in OpenPrinting CUPS affecting versions 2.4.12 and earlier. The flaw allows attackers to bypass authentication when AuthType is set to anything but Basic, if an Authorization: Basic header is present. The issue is fixed in version 2.4.13.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-11

OpenPrinting CUPS CVE-2025-58060: Brief Summary of an Authentication Bypass Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can bypass authentication in CUPS administrative interfaces if the system is configured with any AuthType other than Basic. This flaw can grant unauthorized access to print server management, potentially exposing sensitive print jobs or allowing configuration changes. CUPS (Common UNIX Printing System) is the standard printing system for Linux and other Unix-like operating systems, maintained by OpenPrinting and deployed on millions of systems worldwide.

Technical Information

CVE-2025-58060 is an authentication bypass vulnerability in CUPS versions 2.4.12 and earlier. The issue is triggered when the CUPS configuration sets the AuthType directive to any value except Basic (such as Digest or certificate-based authentication). If a client request includes an Authorization: Basic ... header, CUPS fails to check the password, allowing the request to proceed without proper authentication.

The root cause is a logic flaw in the authentication handling code. Specifically, the code does not enforce credential verification when there is a mismatch between the configured AuthType and the type of Authorization header received. This allows attackers to craft HTTP requests with an Authorization: Basic header that will be accepted even if the password is invalid or missing, as long as the server is not set to use Basic authentication.

This vulnerability is particularly impactful for environments that have intentionally chosen stronger authentication mechanisms, as their configurations are rendered ineffective by this flaw. The vulnerability affects both the CUPS web administration interface (commonly on port 631) and any service endpoints protected by CUPS authentication.

Affected Systems and Versions

  • Product: OpenPrinting CUPS
  • Affected versions: 2.4.12 and all earlier versions
  • Vulnerable configurations: Any CUPS deployment where AuthType is set to a value other than Basic (for example, Digest or certificate-based authentication)
  • Fixed in: CUPS version 2.4.13

Vendor Security History

OpenPrinting has addressed several notable CUPS vulnerabilities in recent years, including remote code execution and privilege escalation issues disclosed in 2024. The project typically responds quickly to security reports, coordinating with Linux distributions to release patches. CUPS's wide deployment means that vulnerabilities can have broad impact, and OpenPrinting's security advisories are closely watched by the industry.

References

Detect & fix
what others miss

Get startedBook a demo