CVE-2025-24889

The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to versions 0.14.1 and 1.0.1, an attacker who has already gained code execution in a virtual machine on the SecureDrop Workstation could gain code execution in the sd-log virtual machine by sending a specially crafted log entry. The vulnerability is not exploitable remotely and requires an attacker to already have code execution on one of the other virtual machines (VMs) of the system. Due to the Workstation's underlying usage of Qubes for strong isolation, the vulnerability would have allowed lateral movement between any log-enabled VM and the sd-log VM, but no further. The SecureDrop workstation collects logs centrally in an isolated virtual machine named sd-log for easy export for support and debugging purposes. The sd-log VM is completely isolated from the internet and ingests logs via a narrow Qubes RPC policy that allow