Common Weakness Enumeration

CWE-367

Allowed

Time-of-check Time-of-use (TOCTOU) Race Condition

Abstraction: Base · Status: Incomplete

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

1063 vulnerabilities reference this CWE, most recent first.

CVE-2025-46415 (GCVE-0-2025-46415)

Vulnerability from cvelistv5 – Published: 2025-06-27 00:00 – Updated: 2025-06-27 19:57
VLAI
Summary
A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
Impacted products
Vendor Product Version
NixOS Nix Affected: 0 , < 2.24.15 (semver)
Affected: 2.25.0 , < 2.26.4 (semver)
Affected: 2.27.0 , < 2.28.4 (semver)
Affected: 2.29.0 , < 2.29.1 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46415",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-27T19:57:42.327675Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-27T19:57:56.693Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Nix",
          "vendor": "NixOS",
          "versions": [
            {
              "lessThan": "2.24.15",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.26.4",
              "status": "affected",
              "version": "2.25.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.28.4",
              "status": "affected",
              "version": "2.27.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.29.1",
              "status": "affected",
              "version": "2.29.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.24.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.26.4",
                  "versionStartIncluding": "2.25.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.28.4",
                  "versionStartIncluding": "2.27.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.29.1",
                  "versionStartIncluding": "2.29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.2,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-27T13:23:22.298Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017"
        },
        {
          "url": "https://lix.systems/blog/2025-06-24-lix-cves/"
        },
        {
          "url": "https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/"
        },
        {
          "url": "https://labs.snyk.io"
        },
        {
          "url": "https://security.snyk.io/vuln/?search=CVE-2025-46415"
        },
        {
          "url": "https://security-tracker.debian.org/tracker/CVE-2025-46415"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-46415",
    "datePublished": "2025-06-27T00:00:00.000Z",
    "dateReserved": "2025-04-24T00:00:00.000Z",
    "dateUpdated": "2025-06-27T19:57:56.693Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-46336 (GCVE-0-2025-46336)

Vulnerability from cvelistv5 – Published: 2025-05-08 19:26 – Updated: 2025-05-08 20:18
VLAI
Title
Rack session gets restored after deletion
Summary
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
  • CWE-613 - Insufficient Session Expiration
Assigner
Impacted products
Vendor Product Version
rack rack-session Affected: >= 2.0.0, < 2.1.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46336",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-08T20:18:09.543353Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-08T20:18:38.555Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rack-session",
          "vendor": "rack",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613: Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-08T19:26:01.638Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj"
        },
        {
          "name": "https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g"
        },
        {
          "name": "https://github.com/rack/rack-session/commit/c28c4a8c1861d814e09f2ae48264ac4c40be2d3b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rack/rack-session/commit/c28c4a8c1861d814e09f2ae48264ac4c40be2d3b"
        }
      ],
      "source": {
        "advisory": "GHSA-9j94-67jr-4cqj",
        "discovery": "UNKNOWN"
      },
      "title": "Rack session gets restored after deletion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-46336",
    "datePublished": "2025-05-08T19:26:01.638Z",
    "dateReserved": "2025-04-22T22:41:54.911Z",
    "dateUpdated": "2025-05-08T20:18:38.555Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-46328 (GCVE-0-2025-46328)

Vulnerability from cvelistv5 – Published: 2025-04-28 22:33 – Updated: 2025-04-29 13:41
VLAI
Title
NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file
Summary
snowflake-connector-nodejs is a NodeJS driver for Snowflake. Versions starting from 1.10.0 to before 2.0.4, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 2.0.4.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
Impacted products
Vendor Product Version
snowflakedb snowflake-connector-nodejs Affected: >= 1.10.0, < 2.0.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46328",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-29T13:41:05.111533Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-29T13:41:29.830Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "snowflake-connector-nodejs",
          "vendor": "snowflakedb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.10.0, \u003c 2.0.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "snowflake-connector-nodejs is a NodeJS driver for Snowflake. Versions starting from 1.10.0 to before 2.0.4, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 2.0.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-28T22:33:09.632Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-wmjq-jrm2-9wfr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-wmjq-jrm2-9wfr"
        },
        {
          "name": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/e94c24112271e1f44c271634bf29a3188acc68d0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/e94c24112271e1f44c271634bf29a3188acc68d0"
        }
      ],
      "source": {
        "advisory": "GHSA-wmjq-jrm2-9wfr",
        "discovery": "UNKNOWN"
      },
      "title": "NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-46328",
    "datePublished": "2025-04-28T22:33:09.632Z",
    "dateReserved": "2025-04-22T22:41:54.911Z",
    "dateUpdated": "2025-04-29T13:41:29.830Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-46327 (GCVE-0-2025-46327)

Vulnerability from cvelistv5 – Published: 2025-04-28 22:33 – Updated: 2025-04-29 13:43
VLAI
Title
Go Snowflake Driver has race condition when checking access to Easy Logging configuration file
Summary
gosnowflake is the Snowflake Golang driver. Versions starting from 1.7.0 to before 1.13.3, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 1.13.3.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
Impacted products
Vendor Product Version
snowflakedb gosnowflake Affected: >= 1.7.0, < 1.13.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46327",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-29T13:42:52.917381Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-29T13:43:12.167Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gosnowflake",
          "vendor": "snowflakedb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.7.0, \u003c 1.13.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "gosnowflake is the Snowflake Golang driver. Versions starting from 1.7.0 to before 1.13.3, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 1.13.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-28T22:33:05.249Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/snowflakedb/gosnowflake/security/advisories/GHSA-6jgm-j7h2-2fqg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/snowflakedb/gosnowflake/security/advisories/GHSA-6jgm-j7h2-2fqg"
        },
        {
          "name": "https://github.com/snowflakedb/gosnowflake/commit/ba94a4800e23621eff558ef18ce4b96ec5489ff0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/snowflakedb/gosnowflake/commit/ba94a4800e23621eff558ef18ce4b96ec5489ff0"
        }
      ],
      "source": {
        "advisory": "GHSA-6jgm-j7h2-2fqg",
        "discovery": "UNKNOWN"
      },
      "title": "Go Snowflake Driver has race condition when checking access to Easy Logging configuration file"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-46327",
    "datePublished": "2025-04-28T22:33:05.249Z",
    "dateReserved": "2025-04-22T22:41:54.910Z",
    "dateUpdated": "2025-04-29T13:43:12.167Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-46326 (GCVE-0-2025-46326)

Vulnerability from cvelistv5 – Published: 2025-04-28 22:33 – Updated: 2025-04-29 13:42
VLAI
Title
Snowflake Connector for .NET has race condition when checking access to Easy Logging configuration file
Summary
snowflake-connector-net is the Snowflake Connector for .NET. Versions starting from 2.1.2 to before 4.4.1, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Connector reads logging configuration from a user-provided file. On Linux and macOS, the Connector verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Connector. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 4.4.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
Impacted products
Vendor Product Version
snowflakedb snowflake-connector-net Affected: >= 2.1.2, < 4.4.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46326",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-29T13:42:00.946516Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-29T13:42:11.360Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "snowflake-connector-net",
          "vendor": "snowflakedb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.1.2, \u003c 4.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "snowflake-connector-net is the Snowflake Connector for .NET. Versions starting from 2.1.2 to before 4.4.1, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Connector reads logging configuration from a user-provided file. On Linux and macOS, the Connector verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Connector. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 4.4.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-28T22:33:01.627Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/snowflakedb/snowflake-connector-net/security/advisories/GHSA-c82r-c9f7-f5mj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/snowflakedb/snowflake-connector-net/security/advisories/GHSA-c82r-c9f7-f5mj"
        },
        {
          "name": "https://github.com/snowflakedb/snowflake-connector-net/commit/393aad3cfa81045a05dd488944db45256e861bff",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/snowflakedb/snowflake-connector-net/commit/393aad3cfa81045a05dd488944db45256e861bff"
        },
        {
          "name": "https://github.com/snowflakedb/snowflake-connector-net/releases/tag/v4.4.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/snowflakedb/snowflake-connector-net/releases/tag/v4.4.1"
        }
      ],
      "source": {
        "advisory": "GHSA-c82r-c9f7-f5mj",
        "discovery": "UNKNOWN"
      },
      "title": "Snowflake Connector for .NET has race condition when checking access to Easy Logging configuration file"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-46326",
    "datePublished": "2025-04-28T22:33:01.627Z",
    "dateReserved": "2025-04-22T22:41:54.910Z",
    "dateUpdated": "2025-04-29T13:42:11.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-44002 (GCVE-0-2025-44002)

Vulnerability from cvelistv5 – Published: 2025-08-26 11:05 – Updated: 2025-08-26 14:39
VLAI
Title
Arbitrary File Creation via Symbolic Link leading to Denial-of-Service
Summary
Race Condition in the Directory Validation Logic in the TeamViewer Full Client and Host prior version 15.69 on Windows allows a local non-admin user to create arbitrary files with SYSTEM privileges, potentially leading to a denial-of-service condition, via symbolic link manipulation during directory verification.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
TV
Impacted products
Vendor Product Version
TeamViewer Full Client Affected: 11.0.0 , < 15.69 (custom)
Create a notification for this product.
TeamViewer Host Affected: 11.0.0 , < 15.69 (custom)
Create a notification for this product.
Credits
Trend Micro Zero Day Initiative
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-44002",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-26T14:19:37.473698Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-26T14:39:04.138Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Full Client",
          "vendor": "TeamViewer",
          "versions": [
            {
              "lessThan": "15.69",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Host",
          "vendor": "TeamViewer",
          "versions": [
            {
              "lessThan": "15.69",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Trend Micro Zero Day Initiative"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRace Condition in the Directory Validation Logic in the TeamViewer Full Client and Host prior \u003cspan style=\"background-color: rgba(0, 107, 255, 0.2);\"\u003ev\u003c/span\u003eersion 15.69 on Windows allows a local non-admin user to create arbitrary files with SYSTEM privileges, potentially leading to \u003cspan style=\"background-color: rgba(0, 107, 255, 0.2);\"\u003ea \u003c/span\u003edenial-of-service condition, via symbolic link manipulation during directory verification.\u003c/span\u003e"
            }
          ],
          "value": "Race Condition in the Directory Validation Logic in the TeamViewer Full Client and Host prior version 15.69 on Windows allows a local non-admin user to create arbitrary files with SYSTEM privileges, potentially leading to a denial-of-service condition, via symbolic link manipulation during directory verification."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-27",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-27 Leveraging Race Conditions via Symbolic Links"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-26T11:05:22.270Z",
        "orgId": "13430f76-86eb-43b2-a71c-82c956ef31b6",
        "shortName": "TV"
      },
      "references": [
        {
          "url": "https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1003/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to the latest version.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Update to the latest version."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Arbitrary File Creation via Symbolic Link leading to Denial-of-Service",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "13430f76-86eb-43b2-a71c-82c956ef31b6",
    "assignerShortName": "TV",
    "cveId": "CVE-2025-44002",
    "datePublished": "2025-08-26T11:05:22.270Z",
    "dateReserved": "2025-04-30T08:08:15.979Z",
    "dateUpdated": "2025-08-26T14:39:04.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-42701 (GCVE-0-2025-42701)

Vulnerability from cvelistv5 – Published: 2025-10-08 17:18 – Updated: 2025-10-08 19:26
VLAI
Title
CrowdStrike Falcon Sensor for Windows Race Condition
Summary
A race condition exists in the Falcon sensor for Windows that could allow an attacker, with the prior ability to execute code on a host, to delete arbitrary files. CrowdStrike released a security fix for this issue in Falcon sensor for Windows versions 7.24 and above and all Long Term Visibility (LTV) sensors. There is no indication of exploitation of these issues in the wild. Our threat hunting and intelligence team are actively monitoring for exploitation and we maintain visibility into any such attempts. The Falcon sensor for Mac, the Falcon sensor for Linux and the Falcon sensor for Legacy Systems are not impacted by this. CrowdStrike was made aware of this issue through our HackerOne bug bounty program. It was discovered by Cong Cheng and responsibly disclosed.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
Impacted products
Vendor Product Version
CrowdStrike Falcon sensor for Windows Affected: 7.28 , < 7.28.20008 (semver)
Affected: 7.27 , < 7.27.19909 (semver)
Affected: 7.26 , < 7.26.19813 (semver)
Affected: 7.25 , < 7.25.19707 (semver)
Affected: 7.24 , < 7.24.19608 (semver)
Create a notification for this product.
CrowdStrike Falcon sensor for Windows Affected: 7.16 , < 7.16.18637 (semver)
Create a notification for this product.
Date Public
2025-10-08 17:17
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-42701",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-08T17:44:45.496342Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-08T19:26:49.280Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "platforms": [
            "Windows"
          ],
          "product": "Falcon sensor for Windows",
          "vendor": "CrowdStrike",
          "versions": [
            {
              "lessThan": "7.28.20008",
              "status": "affected",
              "version": "7.28",
              "versionType": "semver"
            },
            {
              "lessThan": "7.27.19909",
              "status": "affected",
              "version": "7.27",
              "versionType": "semver"
            },
            {
              "lessThan": "7.26.19813",
              "status": "affected",
              "version": "7.26",
              "versionType": "semver"
            },
            {
              "lessThan": "7.25.19707",
              "status": "affected",
              "version": "7.25",
              "versionType": "semver"
            },
            {
              "lessThan": "7.24.19608",
              "status": "affected",
              "version": "7.24",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "platforms": [
            "Windows 7",
            "Windows Server 2008"
          ],
          "product": "Falcon sensor for Windows",
          "vendor": "CrowdStrike",
          "versions": [
            {
              "lessThan": "7.16.18637",
              "status": "affected",
              "version": "7.16",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-10-08T17:17:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eA race condition exists in the Falcon sensor for Windows that could allow an attacker, with the prior ability to execute code on a host, to delete arbitrary files. CrowdStrike released a security fix for this issue in Falcon sensor for Windows versions 7.24 and above and all Long Term Visibility (LTV) sensors.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\u003cb\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThere is no indication of exploitation of these issues in the wild. Our threat hunting and intelligence team are actively monitoring for exploitation and we maintain visibility into any such attempts. \u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\u003cb\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThe Falcon sensor for Mac, the Falcon sensor for Linux and the Falcon sensor for Legacy Systems are not impacted by this.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCrowdStrike was made aware of this issue through our HackerOne bug bounty program. It was discovered by Cong Cheng and responsibly disclosed.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "A race condition exists in the Falcon sensor for Windows that could allow an attacker, with the prior ability to execute code on a host, to delete arbitrary files. CrowdStrike released a security fix for this issue in Falcon sensor for Windows versions 7.24 and above and all Long Term Visibility (LTV) sensors.\n\n\nThere is no indication of exploitation of these issues in the wild. Our threat hunting and intelligence team are actively monitoring for exploitation and we maintain visibility into any such attempts. \n\n\nThe Falcon sensor for Mac, the Falcon sensor for Linux and the Falcon sensor for Legacy Systems are not impacted by this.\n\nCrowdStrike was made aware of this issue through our HackerOne bug bounty program. It was discovered by Cong Cheng and responsibly disclosed."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-27",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-27 Leveraging Race Conditions via Symbolic Links"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-08T17:31:02.619Z",
        "orgId": "13ddcd98-6f4a-40a8-8e24-29ca0aee4661",
        "shortName": "CrowdStrike"
      },
      "references": [
        {
          "url": "https://www.crowdstrike.com/en-us/security-advisories/issues-affecting-crowdstrike-falcon-sensor-for-windows/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "CrowdStrike Falcon Sensor for Windows Race Condition",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "13ddcd98-6f4a-40a8-8e24-29ca0aee4661",
    "assignerShortName": "CrowdStrike",
    "cveId": "CVE-2025-42701",
    "datePublished": "2025-10-08T17:18:32.434Z",
    "dateReserved": "2025-04-16T13:03:27.473Z",
    "dateUpdated": "2025-10-08T19:26:49.280Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-41259 (GCVE-0-2025-41259)

Vulnerability from cvelistv5 – Published: 2026-06-03 11:01 – Updated: 2026-06-03 12:37
VLAI
Title
SWUpdate Untrusted Script Execution via Signed Update TOCTOU
Summary
SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted contents using a signed update.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-367 - Time-of-check time-of-use (TOCTOU) race condition
Assigner
Impacted products
Vendor Product Version
sbabic SWUpdate Affected: 0 , < 2026.05 (custom)
Create a notification for this product.
Credits
Reinhard Kugler (SBA Research)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-41259",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T12:36:39.603308Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T12:37:01.661Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251206-01_SWUpdate_Untrusted_Script_Execution_via_Signed_Update_TOCTOU"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SWUpdate",
          "repo": "https://github.com/sbabic/swupdate",
          "vendor": "sbabic",
          "versions": [
            {
              "lessThan": "2026.05",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Reinhard Kugler (SBA Research)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted contents using a signed update."
            }
          ],
          "value": "SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted contents using a signed update."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check time-of-use (TOCTOU) race condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T11:01:59.871Z",
        "orgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
        "shortName": "sba-research"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251206-01_SWUpdate_Untrusted_Script_Execution_via_Signed_Update_TOCTOU"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/sbabic/swupdate/commit/f4bd64260e233e207354d68d572b1cbc3e63689d"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/sbabic/swupdate"
        }
      ],
      "source": {
        "advisory": "SBA-ADV-20251206-01",
        "discovery": "UNKNOWN"
      },
      "title": "SWUpdate Untrusted Script Execution via Signed Update TOCTOU",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
    "assignerShortName": "sba-research",
    "cveId": "CVE-2025-41259",
    "datePublished": "2026-06-03T11:01:59.871Z",
    "dateReserved": "2025-04-16T09:37:50.631Z",
    "dateUpdated": "2026-06-03T12:37:01.661Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-34290 (GCVE-0-2025-34290)

Vulnerability from cvelistv5 – Published: 2025-12-20 20:01 – Updated: 2025-12-22 16:17
VLAI
Title
Versa SASE Client for Windows < 7.9.5 Arbitrary Folder Deletion Leading to Local Privilege Escalation
Summary
Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs file system operations without impersonating the requesting user. Due to improper privilege handling and a time-of-check time-of-use race condition combined with symbolic link and mount point manipulation, a local authenticated attacker can coerce the service into deleting arbitrary directories with SYSTEM privileges. This can be exploited to delete protected system folders such as C:\\Config.msi and subsequently achieve execution as NT AUTHORITY\\SYSTEM via MSI rollback techniques.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-250 - Execution with Unnecessary Privileges
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
Impacted products
Vendor Product Version
Versa Networks SASE Client for Windows Affected: 7.8.7 , < 7.9.5 (semver)
Create a notification for this product.
Credits
Eduardo Pérez Malumbres Cervera from KPMG Spain
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-34290",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-22T16:17:13.098596Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-22T16:17:23.123Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "SASE Client for Windows",
          "vendor": "Versa Networks",
          "versions": [
            {
              "lessThan": "7.9.5",
              "status": "affected",
              "version": "7.8.7",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Eduardo P\u00e9rez Malumbres Cervera from KPMG Spain"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs file system operations without impersonating the requesting user. Due to improper privilege handling and a time-of-check time-of-use race condition combined with symbolic link and mount point manipulation, a local authenticated attacker can coerce the service into deleting arbitrary directories with SYSTEM privileges. This can be exploited to delete protected system folders such as C:\\\\Config.msi and subsequently achieve execution as NT AUTHORITY\\\\SYSTEM via MSI rollback techniques."
            }
          ],
          "value": "Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs file system operations without impersonating the requesting user. Due to improper privilege handling and a time-of-check time-of-use race condition combined with symbolic link and mount point manipulation, a local authenticated attacker can coerce the service into deleting arbitrary directories with SYSTEM privileges. This can be exploited to delete protected system folders such as C:\\\\Config.msi and subsequently achieve execution as NT AUTHORITY\\\\SYSTEM via MSI rollback techniques."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-250",
              "description": "CWE-250 Execution with Unnecessary Privileges",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T20:01:42.552Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://security-portal.versa-networks.com/emailbulletins/69421e33d03aafc8e5bdaf21"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/versa-sase-client-for-windows-arbitrary-file-deletion-leading-to-lpe"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Versa SASE Client for Windows \u003c 7.9.5 Arbitrary Folder Deletion Leading to Local Privilege Escalation",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-34290",
    "datePublished": "2025-12-20T20:01:42.552Z",
    "dateReserved": "2025-04-15T19:15:22.581Z",
    "dateUpdated": "2025-12-22T16:17:23.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-34027 (GCVE-0-2025-34027)

Vulnerability from cvelistv5 – Published: 2025-05-21 21:58 – Updated: 2026-02-26 18:27
VLAI
Title
Versa Concerto Authentication Bypass File Write Remote Code Execution
Summary
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
Impacted products
Vendor Product Version
Versa Concerto Affected: 12.1.2 , ≤ 12.2.0 (semver)
Create a notification for this product.
Credits
ProjectDiscovery Harsh Jaiswal Rahul Maini Parth Malhotra
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-34027",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-28T03:56:05.405556Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T18:27:59.207Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "Traefik"
          ],
          "product": "Concerto",
          "vendor": "Versa",
          "versions": [
            {
              "lessThanOrEqual": "12.2.0",
              "status": "affected",
              "version": "12.1.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:versa:concerto:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "12.2.0",
                  "versionStartIncluding": "12.1.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "sponsor",
          "value": "ProjectDiscovery"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Harsh Jaiswal"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Rahul Maini"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Parth Malhotra"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).\u003cp\u003eThis issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.\u003c/p\u003e"
            }
          ],
          "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-38",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-38 Leveraging/Manipulating Configuration File Search Paths"
            }
          ]
        },
        {
          "capecId": "CAPEC-29",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-28T19:43:34.727Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "exploit",
            "mitigation"
          ],
          "url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Versa Concerto Authentication Bypass File Write Remote Code Execution",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-34027",
    "datePublished": "2025-05-21T21:58:31.698Z",
    "dateReserved": "2025-04-15T19:15:22.545Z",
    "dateUpdated": "2026-02-26T18:27:59.207Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Implementation

The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.

Mitigation
Implementation

When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.

Mitigation
Architecture and Design

Limit the interleaving of operations on files from multiple processes.

Mitigation
Implementation Architecture and Design

If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed.

Mitigation
Implementation

Recheck the resource after the use call to verify that the action was taken appropriately.

Mitigation
Architecture and Design

Ensure that some environmental locking mechanism can be used to protect resources effectively.

Mitigation
Implementation

Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use.

CAPEC-27: Leveraging Race Conditions via Symbolic Links

This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.