Served Cold: Race Conditions and Arbitrary File Overwrite in miniserve
Vulnerability ID: CVE-2025-67124
CVSS Score: 6.8
Published: 2026-01-23
A classic Time-of-Check to Time-of-Use (TOCTOU) vulnerability in miniserve v0.32.0 allows attackers to overwrite arbitrary files via symbolic link racing during file uploads.
TL;DR
If you're using miniserve with file uploads enabled, you might be serving up your own system files on a silver platter. CVE-2025-67124 is a race condition that lets an attacker trick the server into following a symbolic link during the upload finalization process. By winning the race, they can overwrite files outside the upload directory (like /etc/shadow or ~/.ssh/authorized_keys), leading to Denial of Service or potential Remote Code Execution. The fix? Upgrade immediately or turn off uploads.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-367 (TOCTOU)
- Attack Vector: Local / Network (Uploads)
- CVSS: 6.8 (Medium)
- Impact: Arbitrary File Overwrite
- Exploit Status: PoC Available
- Architecture: x86, ARM, etc. (Rust generic)
Affected Systems
- svenstaro/miniserve 0.32.0
-
miniserve: = 0.32.0 (Fixed in:
0.33.0)
Exploit Details
- Gist: Original vulnerability report and methodology by Ali Firas
Mitigation Strategies
- Disable file uploads via the
--upload-filesflag if not strictly required. - Restrict filesystem permissions on the upload directory to prevent concurrent modification by untrusted users.
- Run
miniserveas a non-privileged user to limit the impact of arbitrary file overwrites.
Remediation Steps:
- Stop the running
miniserveinstance. - Download the latest release binary from the official GitHub repository.
- Verify the version is > 0.32.0.
- Restart the service.
References
Read the full report for CVE-2025-67124 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)