CVE-2025-67487
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-11

Assigner: GitHub, Inc.

Description
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links (symlinks) which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping the web server’s root directory. Therefore, if a malicious actor gains access to the web server’s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing. This issue is fixed in version 2.40.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-11
Generated
2026-05-07
AI Q&A
2025-12-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-67487
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
static_web_server static_web_server 2.40.0
static-web-server static_web_server to 2.40.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Static Web Server (SWS) versions 2.40.0 and below, where symbolic links (symlinks) can be used to access files or directories outside the intended web root folder. The server does not prevent symlinks from escaping the root directory, allowing a malicious actor who has access to the web server's root directory to create symlinks that point to files outside the designated web root. This can be exploited either by URL or via directory listing. The issue is fixed in version 2.40.1.


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker to access sensitive files or directories outside the web server's intended root folder. This could lead to unauthorized disclosure of information, potentially exposing confidential data or system files that should not be publicly accessible.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Static Web Server (SWS) to version 2.40.1 or later, as this version fixes the symlink issue that allows access outside the web root folder. Additionally, restrict access to the web server's root directory to prevent unauthorized creation of symbolic links.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart