CVE-2025-67124
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-02-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| svenstaro | miniserve | 0.32.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67124 is a vulnerability in miniserve version 0.32.0 involving a Time-of-Check to Time-of-Use (TOCTOU) race condition combined with a symbolic link (symlink) race during file upload finalization. When file uploads are enabled, miniserve first writes uploaded files to a temporary location and then moves them to the final destination within the served directory. An attacker who can create or replace filesystem entries (like symlinks) in the upload directory can exploit the time gap between checking the destination file and writing the file. By rapidly swapping the destination filename with a symlink pointing outside the intended directory, the attacker can cause miniserve to overwrite arbitrary files elsewhere on the filesystem, limited by the miniserve process's privileges. This can lead to overwriting critical system files, potentially enabling remote code execution. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to overwrite arbitrary files on the server outside the intended upload directory. If exploited, it can lead to remote code execution by overwriting files that are executed or interpreted by the system, such as shell initialization files, cron jobs, or service configuration files. This can result in system compromise, unauthorized access, or disruption of services. The impact depends on the privileges of the miniserve process and the attacker's ability to create or replace filesystem entries in the upload directory. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual file modifications or overwrites in directories served by miniserve when uploads are enabled. Specifically, look for rapid creation or replacement of symbolic links in the upload destination directory, which could indicate exploitation attempts. Additionally, analyzing HTTP upload requests to the miniserve server for abnormal patterns or high-frequency uploads may help detect exploitation. A practical approach includes using filesystem monitoring tools like 'inotifywait' on Linux to watch the upload directory for symlink creation or changes. Example command: `inotifywait -m -e create,modify,attrib /path/to/upload/directory` to monitor filesystem events. Also, checking for unexpected changes in critical files outside the upload directory (e.g., `.bashrc`, cron jobs) can indicate successful exploitation. Network monitoring tools can be used to log and analyze HTTP POST requests to the upload endpoint for suspicious activity. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Disable the `--upload-files` option in miniserve if file uploads are not necessary. 2) Restrict write permissions on the upload destination directory to trusted users only, preventing attackers from creating or replacing filesystem entries such as symlinks. 3) Run miniserve as a low-privilege user with minimal writable files to limit the impact of any exploitation. 4) Ensure the temporary upload directory and the final destination directory reside on the same filesystem to enable atomic rename operations, reducing the race window. 5) Monitor and audit filesystem changes in the upload directory and critical system files. These operational mitigations reduce the risk until a developer fix is applied that prevents symlink following and uses atomic file operations. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to overwrite arbitrary files outside the intended upload directory, potentially leading to unauthorized modification of system or application files. This could result in unauthorized access, data tampering, or system compromise, which may violate data protection and security requirements mandated by standards like GDPR and HIPAA. Specifically, the ability to overwrite files could lead to breaches of confidentiality, integrity, and availability of sensitive data, thereby impacting compliance with these regulations. Mitigations such as running miniserve with least privilege and securing upload directories are necessary to reduce this risk. [1]