Skip to content

Commit f29af40

Browse files
jasnowpostmodern
jasnow
authored and
postmodern
committed
GHSA SYNC: 1 brand new advisory
1 parent 561272a commit f29af40

File tree

1 file changed

+41
-0
lines changed

1 file changed

+41
-0
lines changed

gems/vagrant/CVE-2025-34075.yml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
---
2+
gem: vagrant
3+
cve: 2025-34075
4+
ghsa: hqp6-mjw3-f586
5+
url: https://github.com/advisories/GHSA-hqp6-mjw3-f586
6+
title: HashiCorp Vagrant has code injection vulnerability
7+
through default synced folders
8+
date: 2025-07-02
9+
description: |
10+
An authenticated virtual machine escape vulnerability exists in
11+
HashiCorp Vagrant versions 2.4.6 and below when using the default
12+
synced folder configuration. By design, Vagrant automatically mounts
13+
the host system’s project directory into the guest VM under /vagrant
14+
(or C:\vagrant on Windows). This includes the Vagrantfile configuration
15+
file, which is a Ruby script evaluated by the host every time a vagrant
16+
command is executed in the project directory. If a low-privileged
17+
attacker obtains shell access to the guest VM, they can append
18+
arbitrary Ruby code to the mounted Vagrantfile. When a user on the
19+
host later runs any vagrant command, the injected code is executed
20+
on the host with that user’s privileges.
21+
22+
While this shared-folder behavior is well-documented by Vagrant, the
23+
security implications of Vagrantfile execution from guest-writable
24+
storage are not explicitly addressed. This effectively enables
25+
guest-to-host code execution in multi-tenant or adversarial VM scenarios.
26+
cvss_v4: 5.4
27+
unaffected_versions:
28+
- "< 2.2.10"
29+
patched_versions:
30+
- ">= 2.4.7"
31+
related:
32+
url:
33+
- https://nvd.nist.gov/vuln/detail/CVE-2025-34075
34+
- https://developer.hashicorp.com/vagrant
35+
- https://developer.hashicorp.com/vagrant/docs/synced-folders/basic_usage
36+
- https://developer.hashicorp.com/vagrant/docs/vagrantfile
37+
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/local/vagrant_synced_folder_vagrantfile_breakout.rb
38+
- https://vulncheck.com/advisories/hashicorp-vagrant-synced-folder-vagrantfile-breakout
39+
- https://github.com/hashicorp/vagrant/issues/13688
40+
- https://github.com/hashicorp/vagrant/commit/abe87b2fdc124ef426c016d44d2f6f4792f0cbe3
41+
- https://github.com/advisories/GHSA-hqp6-mjw3-f586

0 commit comments

Comments
 (0)