What is the CVSS score of CVE-2025-67124?

CVE-2025-67124 has a CVSS 3.1 base score of 6.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Miniserve are affected by CVE-2025-67124?

CVE-2025-67124 presents notable security risk rated CVSS 6.8. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available.. A patch is available.

Is there a public PoC exploit available for CVE-2025-67124?

Yes, a public proof-of-concept exploit is available for CVE-2025-67124. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-67124?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Miniserve CVE-2025-67124

MEDIUM

Improper Link Resolution Before File Access (CWE-59)

2026-01-23 cve@mitre.org

GHSA-mxc8-4jqf-368q

Race Condition Miniserve

6.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 11, 2026 - 19:45 vuln.today

Public exploit code

CVE Published

Jan 23, 2026 - 16:15 nvd

MEDIUM 6.8

DescriptionNVD

A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).

AnalysisAI

Miniserve versions up to 0.32.0 is affected by improper link resolution before file access (CVSS 6.8).

Technical ContextAI

This vulnerability (CWE-59: Improper Link Resolution Before File Access) affects Miniserve. A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2025-67124 vulnerability details – vuln.today

Back

Miniserve CVE-2025-67124

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code