EUVD-2025-19756
GHSA-hqp6-mjw3-f586
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
4Description
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Initially assigned to document an issues that allows guest VM to modify the host’s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary. https://developer.hashicorp.com/vagrant/docs/synced-folders
Analysis
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Rated medium severity (CVSS 5.4), this vulnerability is low attack complexity. No vendor patch available.
Technical Context
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Initially assigned to document an issues that allows guest VM to modify the host’s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary. https://developer.hashicorp.com/vagrant/docs/synced-folders
Affected Products
See vendor advisory for affected versions.
Remediation
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Priority Score
Vendor Status
Ubuntu
Priority: Negligible| Release | Status | Version |
|---|---|---|
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| bionic | not-affected | - |
| focal | not-affected | - |
| jammy | not-affected | - |
| upstream | not-affected | - |
| xenial | not-affected | - |
Share
External POC / Exploit Code
Leaving vuln.today