CVE-2025-70341
Race Condition in App-Auto-Patch 3.4.2 Allows Arbitrary File Write
Publication date: 2026-03-04
Last updated on: 2026-03-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| app-auto-patch | app-auto-patch | to 3.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70341 is a local privilege escalation vulnerability in App-Auto-Patch versions up to 3.4.2 caused by insecure permissions and a race condition (time-of-check-time-of-use, TOCTOU). The application creates a working directory with world-writable permissions (chmod 777), allowing any local user to write or modify files there.
During installation, a package (PKG) is downloaded and its signature verified in this directory. However, there is a race window where an attacker can replace the verified package with a malicious one, which then gets installed and executed with root privileges.
Additionally, the vulnerability includes unsafe use of the eval command on unsanitized input in a script, allowing arbitrary code execution as root during label parsing.
How can this vulnerability impact me? :
This vulnerability allows a local attacker with low privileges to escalate their privileges to root by exploiting the race condition and insecure directory permissions.
An attacker can execute arbitrary code with root privileges, potentially leading to full system compromise, unauthorized access, modification, or deletion of sensitive files, and disruption of system availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the App-Auto-Patch working directory (appAutoPatchFolder) has insecure permissions, specifically if it is world-writable (chmod 777). An attacker exploits this by writing arbitrary files in this directory.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability, you can check the permissions of the directory used by App-Auto-Patch. For example, on a macOS system, you can run the following command to check if the directory is world-writable:'}, {'type': 'list_item', 'content': 'ls -ld /path/to/appAutoPatchFolder'}, {'type': 'paragraph', 'content': "If the permissions show 'drwxrwxrwx' or similar (777), it indicates the directory is world-writable and vulnerable."}, {'type': 'paragraph', 'content': 'Additionally, monitoring for suspicious file modifications or unexpected package installations in this directory could help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'The proof-of-concept exploit uses scripts to monitor the vulnerable directory and perform a race condition attack, so similar monitoring scripts could be adapted for detection.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to restrict the permissions of the App-Auto-Patch working directory to prevent unauthorized write access.
- Change the directory permissions from world-writable (chmod 777) to more restrictive permissions such as chmod 755.
This change breaks the race condition attack chain by preventing unprivileged users from writing or modifying files in the directory.
Additionally, ensure you are running App-Auto-Patch version 3.5.0 or later, where this vulnerability has been fixed.
Avoid using or executing scripts that use unsafe eval commands on untrusted input, as this can lead to command injection.