GHSA-459F-X8VQ-XJJM

Vulnerability from github – Published: 2025-12-08 22:18 – Updated: 2025-12-09 19:17
VLAI?
Summary
Static Web Server vulnerable to a symbolic link path traversal
Details

Summary

Symbolic links (symlinks) could be used to access files or directories outside the intended web root folder.

Details

SWS generally does not prevent symlinks from escaping the web server’s root directory. Therefore, if a malicious actor gains access to the web server’s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing.

PoC

  • Serve a directory (web root) with SWS.
  • Create a symlink inside the web root that points to a file outside the web root. e.g. ln -s escape.txt $HOME/.bashrc
  • Open http://localhost/escape.txt in your browser.
  • The file content will be served.

Impact

Any web server that runs with elevated privileges (e.g., root/administrator) and handles user-supplied file uploads is primarily impacted.

Severity ?
5.5 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.40.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "static-web-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.40.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-08T22:18:00Z",
    "nvd_published_at": "2025-12-09T16:18:24Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nSymbolic links (_symlinks_) could be used to access files or directories outside the intended web root folder.\n\n### Details\n\nSWS generally does not prevent symlinks from escaping the web server\u2019s root directory. Therefore, if a malicious actor gains access to the web server\u2019s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing.\n\n### PoC\n\n- Serve a directory (web root) with SWS.\n- Create a symlink inside the web root that points to a file outside the web root.\n  e.g. `ln -s escape.txt $HOME/.bashrc`\n- Open `http://localhost/escape.txt` in your browser.\n- The file content will be served.\n\n### Impact\n\nAny web server that runs with elevated privileges (e.g., root/administrator) and handles user-supplied file uploads is primarily impacted.",
  "id": "GHSA-459f-x8vq-xjjm",
  "modified": "2025-12-09T19:17:06Z",
  "published": "2025-12-08T22:18:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-459f-x8vq-xjjm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67487"
    },
    {
      "type": "WEB",
      "url": "https://github.com/static-web-server/static-web-server/commit/308f0d26ceb9c2c8bd219315d0f53914763357f2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/static-web-server/static-web-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Static Web Server vulnerable to a symbolic link path traversal"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.