Fluid Attacks Database

Description

miniserve affected by a TOCTOU and symlink race vulnerability A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
cargo	miniserve	>=0 <0.32.0	0.32.0

Aliases

1. CVE-2025-671242. NVD-2025-671243. OSV-2025-671244. GCVE-2025-67124

References

1. https://gist.github.com/thesmartshadow/55688f87f8b985eb530e07d00ef8c63f

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.