CVE-2025-67124
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-02-11

Assigner: MITRE

Description
A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67124
EUVD
EUVD-2026-4261
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
svenstaro miniserve 0.32.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67124 is a vulnerability in miniserve version 0.32.0 involving a Time-of-Check to Time-of-Use (TOCTOU) race condition combined with a symbolic link (symlink) race during file upload finalization. When file uploads are enabled, miniserve first writes uploaded files to a temporary location and then moves them to the final destination within the served directory. An attacker who can create or replace filesystem entries (like symlinks) in the upload directory can exploit the time gap between checking the destination file and writing the file. By rapidly swapping the destination filename with a symlink pointing outside the intended directory, the attacker can cause miniserve to overwrite arbitrary files elsewhere on the filesystem, limited by the miniserve process's privileges. This can lead to overwriting critical system files, potentially enabling remote code execution. [1]

Impact Analysis

This vulnerability can allow an attacker to overwrite arbitrary files on the server outside the intended upload directory. If exploited, it can lead to remote code execution by overwriting files that are executed or interpreted by the system, such as shell initialization files, cron jobs, or service configuration files. This can result in system compromise, unauthorized access, or disruption of services. The impact depends on the privileges of the miniserve process and the attacker's ability to create or replace filesystem entries in the upload directory. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unusual file modifications or overwrites in directories served by miniserve when uploads are enabled. Specifically, look for rapid creation or replacement of symbolic links in the upload destination directory, which could indicate exploitation attempts. Additionally, analyzing HTTP upload requests to the miniserve server for abnormal patterns or high-frequency uploads may help detect exploitation. A practical approach includes using filesystem monitoring tools like 'inotifywait' on Linux to watch the upload directory for symlink creation or changes. Example command: `inotifywait -m -e create,modify,attrib /path/to/upload/directory` to monitor filesystem events. Also, checking for unexpected changes in critical files outside the upload directory (e.g., `.bashrc`, cron jobs) can indicate successful exploitation. Network monitoring tools can be used to log and analyze HTTP POST requests to the upload endpoint for suspicious activity. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Disable the `--upload-files` option in miniserve if file uploads are not necessary. 2) Restrict write permissions on the upload destination directory to trusted users only, preventing attackers from creating or replacing filesystem entries such as symlinks. 3) Run miniserve as a low-privilege user with minimal writable files to limit the impact of any exploitation. 4) Ensure the temporary upload directory and the final destination directory reside on the same filesystem to enable atomic rename operations, reducing the race window. 5) Monitor and audit filesystem changes in the upload directory and critical system files. These operational mitigations reduce the risk until a developer fix is applied that prevents symlink following and uses atomic file operations. [1]

Compliance Impact

The vulnerability allows an attacker to overwrite arbitrary files outside the intended upload directory, potentially leading to unauthorized modification of system or application files. This could result in unauthorized access, data tampering, or system compromise, which may violate data protection and security requirements mandated by standards like GDPR and HIPAA. Specifically, the ability to overwrite files could lead to breaches of confidentiality, integrity, and availability of sensitive data, thereby impacting compliance with these regulations. Mitigations such as running miniserve with least privilege and securing upload directories are necessary to reduce this risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67124. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart