Skip to content

Commit c4b750a

Browse files
jasnowRubySec CI
jasnow
authored and
RubySec CI
committed
Updated advisory posts against rubysec/ruby-advisory-db@f29af40 
1 parent 43bce59 commit c4b750a

File tree

1 file changed

+49
-0
lines changed

1 file changed

+49
-0
lines changed

advisories/_posts/2025-07-02-CVE-2025-34075.md

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2025-34075 (vagrant): HashiCorp Vagrant has code injection vulnerability
4+
through default synced folders'
5+
comments: false
6+
categories:
7+
- vagrant
8+
advisory:
9+
gem: vagrant
10+
cve: 2025-34075
11+
ghsa: hqp6-mjw3-f586
12+
url: https://github.com/advisories/GHSA-hqp6-mjw3-f586
13+
title: HashiCorp Vagrant has code injection vulnerability through default synced
14+
folders
15+
date: 2025-07-02
16+
description: |
17+
An authenticated virtual machine escape vulnerability exists in
18+
HashiCorp Vagrant versions 2.4.6 and below when using the default
19+
synced folder configuration. By design, Vagrant automatically mounts
20+
the host system’s project directory into the guest VM under /vagrant
21+
(or C:\vagrant on Windows). This includes the Vagrantfile configuration
22+
file, which is a Ruby script evaluated by the host every time a vagrant
23+
command is executed in the project directory. If a low-privileged
24+
attacker obtains shell access to the guest VM, they can append
25+
arbitrary Ruby code to the mounted Vagrantfile. When a user on the
26+
host later runs any vagrant command, the injected code is executed
27+
on the host with that user’s privileges.
28+
29+
While this shared-folder behavior is well-documented by Vagrant, the
30+
security implications of Vagrantfile execution from guest-writable
31+
storage are not explicitly addressed. This effectively enables
32+
guest-to-host code execution in multi-tenant or adversarial VM scenarios.
33+
cvss_v4: 5.4
34+
unaffected_versions:
35+
- "< 2.2.10"
36+
patched_versions:
37+
- ">= 2.4.7"
38+
related:
39+
url:
40+
- https://nvd.nist.gov/vuln/detail/CVE-2025-34075
41+
- https://developer.hashicorp.com/vagrant
42+
- https://developer.hashicorp.com/vagrant/docs/synced-folders/basic_usage
43+
- https://developer.hashicorp.com/vagrant/docs/vagrantfile
44+
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/local/vagrant_synced_folder_vagrantfile_breakout.rb
45+
- https://vulncheck.com/advisories/hashicorp-vagrant-synced-folder-vagrantfile-breakout
46+
- https://github.com/hashicorp/vagrant/issues/13688
47+
- https://github.com/hashicorp/vagrant/commit/abe87b2fdc124ef426c016d44d2f6f4792f0cbe3
48+
- https://github.com/advisories/GHSA-hqp6-mjw3-f586
49+
---

0 commit comments

Comments
 (0)