CVE-2025-67124 — MEDIUM (6.8)

Vulnerability Description

A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).

CVSS Score

6.8

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Svenstaro	Miniserve	0.32.0

Related Weaknesses (CWE)

CWE-59 CWE-367

References

https://gist.github.com/thesmartshadow/55688f87f8b985eb530e07d00ef8c63fExploitThird Party Advisory
https://github.com/svenstaro/miniserveProduct

FAQ

What is CVE-2025-67124?

CVE-2025-67124 is a vulnerability with a CVSS score of 6.8 (MEDIUM). A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in d...

How severe is CVE-2025-67124?

CVE-2025-67124 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-67124?

Check the references section above for vendor advisories and patch information. Affected products include: Svenstaro Miniserve.