cvelistv5 - cve-2025-34075

CVE-2025-34075 (GCVE-0-2025-34075)

Vulnerability from cvelistv5 – Published: 2025-07-02 19:26 – Updated: 2025-07-16 13:23

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Initially assigned to document an issues that allows guest VM to modify the host’s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary. https://developer.hashicorp.com/vagrant/docs/synced-folders

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2025-07-16T13:23:44.080Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\u003cbr\u003e\u003cbr\u003eInitially assigned to document an issues that allows guest VM to modify the host\u2019s \u003ccode\u003eVagrantfile\u003c/code\u003e via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary.\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://developer.hashicorp.com/vagrant/docs/synced-folders\"\u003ehttps://developer.hashicorp.com/vagrant/docs/synced-folders\u003c/a\u003e\u003cbr\u003e"
            }
          ],
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\n\nInitially assigned to document an issues that allows guest VM to modify the host\u2019s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary.\u00a0 https://developer.hashicorp.com/vagrant/docs/synced-folders"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-34075",
    "datePublished": "2025-07-02T19:26:01.774Z",
    "dateRejected": "2025-07-10T00:34:56.477Z",
    "dateReserved": "2025-04-15T19:15:22.550Z",
    "dateUpdated": "2025-07-16T13:23:44.080Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-34075\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2025-07-02T20:15:29.553\",\"lastModified\":\"2025-07-16T14:15:24.840\",\"vulnStatus\":\"Rejected\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\\n\\nInitially assigned to document an issues that allows guest VM to modify the host\u2019s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary.\u00a0 https://developer.hashicorp.com/vagrant/docs/synced-folders\"}],\"metrics\":{},\"references\":[]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-07-16T13:23:44.080Z\"}, \"rejectedReasons\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\u003cbr\u003e\u003cbr\u003eInitially assigned to document an issues that allows guest VM to modify the host\\u2019s \u003ccode\u003eVagrantfile\u003c/code\u003e via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary.\u0026nbsp;\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://developer.hashicorp.com/vagrant/docs/synced-folders\\\"\u003ehttps://developer.hashicorp.com/vagrant/docs/synced-folders\u003c/a\u003e\u003cbr\u003e\"}], \"value\": \"This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\\n\\nInitially assigned to document an issues that allows guest VM to modify the host\\u2019s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary.\\u00a0 https://developer.hashicorp.com/vagrant/docs/synced-folders\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-34075\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"state\": \"REJECTED\", \"assignerShortName\": \"VulnCheck\", \"dateReserved\": \"2025-04-15T19:15:22.550Z\", \"datePublished\": \"2025-07-02T19:26:01.774Z\", \"dateUpdated\": \"2025-07-16T13:23:44.080Z\", \"dateRejected\": \"2025-07-10T00:34:56.477Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-34075

Vulnerability from fkie_nvd - Published: 2025-07-02 20:15 - Updated: 2025-07-16 14:15

Severity ?

Summary

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Initially assigned to document an issues that allows guest VM to modify the host’s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary. https://developer.hashicorp.com/vagrant/docs/synced-folders

References

	URL	Tags

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\n\nInitially assigned to document an issues that allows guest VM to modify the host\u2019s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary.\u00a0 https://developer.hashicorp.com/vagrant/docs/synced-folders"
    }
  ],
  "id": "CVE-2025-34075",
  "lastModified": "2025-07-16T14:15:24.840",
  "metrics": {},
  "published": "2025-07-02T20:15:29.553",
  "references": [],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Rejected"
}

GHSA-HQP6-MJW3-F586

Vulnerability from github – Published: 2025-07-02 21:32 – Updated: 2025-07-05 01:47

Summary

HashiCorp Vagrant has code injection vulnerability through default synced folders

Details

An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant versions 2.4.6 and below when using the default synced folder configuration. By design, Vagrant automatically mounts the host system’s project directory into the guest VM under /vagrant (or C:\vagrant on Windows). This includes the Vagrantfile configuration file, which is a Ruby script evaluated by the host every time a vagrant command is executed in the project directory. If a low-privileged attacker obtains shell access to the guest VM, they can append arbitrary Ruby code to the mounted Vagrantfile. When a user on the host later runs any vagrant command, the injected code is executed on the host with that user’s privileges.

While this shared-folder behavior is well-documented by Vagrant, the security implications of Vagrantfile execution from guest-writable storage are not explicitly addressed. This effectively enables guest-to-host code execution in multi-tenant or adversarial VM scenarios.

Severity ?

5.4 (Medium)


                  
                    CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "vagrant"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.10"
            },
            {
              "fixed": "2.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-34075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-668",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-03T12:59:35Z",
    "nvd_published_at": "2025-07-02T20:15:29Z",
    "severity": "MODERATE"
  },
  "details": "An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant versions 2.4.6 and below when using the default synced folder configuration. By design, Vagrant automatically mounts the host system\u2019s project directory into the guest VM under /vagrant (or C:\\vagrant on Windows). This includes the Vagrantfile configuration file, which is a Ruby script evaluated by the host every time a vagrant command is executed in the project directory. If a low-privileged attacker obtains shell access to the guest VM, they can append arbitrary Ruby code to the mounted Vagrantfile. When a user on the host later runs any vagrant command, the injected code is executed on the host with that user\u2019s privileges.\n\nWhile this shared-folder behavior is well-documented by Vagrant, the security implications of Vagrantfile execution from guest-writable storage are not explicitly addressed. This effectively enables guest-to-host code execution in multi-tenant or adversarial VM scenarios.",
  "id": "GHSA-hqp6-mjw3-f586",
  "modified": "2025-07-05T01:47:56Z",
  "published": "2025-07-02T21:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34075"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/vagrant/issues/13688"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/vagrant/commit/abe87b2fdc124ef426c016d44d2f6f4792f0cbe3"
    },
    {
      "type": "WEB",
      "url": "https://developer.hashicorp.com/vagrant"
    },
    {
      "type": "WEB",
      "url": "https://developer.hashicorp.com/vagrant/docs/synced-folders/basic_usage"
    },
    {
      "type": "WEB",
      "url": "https://developer.hashicorp.com/vagrant/docs/vagrantfile"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-hqp6-mjw3-f586"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/vagrant"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/vagrant/CVE-2025-34075.yml"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/local/vagrant_synced_folder_vagrantfile_breakout.rb"
    },
    {
      "type": "WEB",
      "url": "https://vulncheck.com/advisories/hashicorp-vagrant-synced-folder-vagrantfile-breakout"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "HashiCorp Vagrant has code injection vulnerability through default synced folders"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-34075 (GCVE-0-2025-34075)

FKIE_CVE-2025-34075

GHSA-HQP6-MJW3-F586

Tags

Sightings

Nomenclature