CVE-2025-67124: miniserve affected by a TOCTOU and symlink race vulnerability

January 23, 2026

A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).

References

gist.github.com/thesmartshadow/55688f87f8b985eb530e07d00ef8c63f
github.com/advisories/GHSA-mxc8-4jqf-368q
github.com/svenstaro/miniserve
nvd.nist.gov/vuln/detail/CVE-2025-67124

Code Behaviors & Features

Detect and mitigate CVE-2025-67124 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →