CVE-2025-67124

MEDIUM

Svenstaro Miniserve < 0.32.0 - Symlink Following

Title source: rule

Description

A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).

References (2)

[Exploit, Third Party Advisory] https://gist.github.com/thesmartshadow/55688f87f8b985eb530e07d00ef8c63f

[Product] https://github.com/svenstaro/miniserve

View Writeup ZIP pw:eip

Scores

CVSS v3 6.8

EPSS 0.0002

EPSS Percentile 4.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Classification

CWE

CWE-59 CWE-367

Status published

Affected Products (2)

svenstaro/miniserve

crates.io/miniserve < 0.32.0crates.io

Timeline

Published Jan 23, 2026

Tracked Since Feb 18, 2026