CVE-2026-25499
Directory Traversal via Insecure Sudo in Terraform Proxmox Provider
Publication date: 2026-02-04
Last updated on: 2026-02-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bpg | terraform_provider | to 0.93.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized privilege escalation on the affected system.
An attacker with access to the terraform user could exploit the insecure sudoers configuration to write or modify arbitrary files anywhere on the system by escaping the intended directory restrictions.
This could allow the attacker to add malicious sudoers files, granting themselves full root privileges and complete control over the system.
Such unauthorized root-level access compromises system integrity, confidentiality, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
This vulnerability is a path traversal issue in the sudoers configuration recommended by the Terraform / OpenTofu Provider for Proxmox Virtual Environment prior to version 0.93.1.
The insecure sudoers line allowed the terraform user to run the `tee` command with root privileges on any file within a directory like `/var/lib/vz/*` using a wildcard. Because of this, an attacker could exploit directory traversal sequences (e.g., `../`) to escape the intended directory and modify arbitrary system files.
For example, the terraform user could write a malicious sudoers file outside the allowed directory, granting themselves full root privileges, effectively escalating their access on the system.
The vulnerability was fixed by restricting the sudoers rule to only allow writing to a specific `snippets` subdirectory with a strict filename pattern, preventing path traversal attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the sudoers configuration for insecure rules that allow the terraform user to run the tee command with wildcard paths that enable directory traversal.'}, {'type': 'paragraph', 'content': 'Specifically, look for sudoers lines like: terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/* or similar patterns that allow tee to write to any file under a directory.'}, {'type': 'paragraph', 'content': 'To identify the mount point of the datastore on the Proxmox node, you can use the command:'}, {'type': 'list_item', 'content': 'pvesh get /storage/<name>'}, {'type': 'paragraph', 'content': 'To test if the vulnerability exists, you can attempt a proof of concept command as the terraform user (if you have access), for example:'}, {'type': 'list_item', 'content': 'echo "ALL=(ALL) NOPASSWD:ALL" | tee /var/lib/vz/../../../etc/sudoers.d/sudo'}, {'type': 'paragraph', 'content': 'If this command succeeds in creating or modifying files outside the intended directory, the system is vulnerable.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The immediate mitigation step is to update the sudoers configuration to restrict the terraform user's ability to run the tee command only on specific, allowed file paths with strict filename patterns."}, {'type': 'paragraph', 'content': 'Replace insecure wildcard sudoers lines like:'}, {'type': 'list_item', 'content': 'terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/*'}, {'type': 'paragraph', 'content': 'With a more restrictive rule such as:'}, {'type': 'list_item', 'content': 'terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/snippets/[a-zA-Z0-9_][a-zA-Z0-9_.-]*'}, {'type': 'paragraph', 'content': 'For other datastores, similarly restrict the path, for example:'}, {'type': 'list_item', 'content': 'terraform ALL=(root) NOPASSWD: /usr/bin/tee /mnt/pve/cephfs/snippets/[a-zA-Z0-9_][a-zA-Z0-9_.-]*'}, {'type': 'paragraph', 'content': 'Additionally, update the terraform-provider-proxmox to version 0.93.1 or later where this issue is patched.'}, {'type': 'paragraph', 'content': 'Avoid using wildcard patterns in sudoers rules that allow the tee command to write to arbitrary files.'}] [1, 2]