CVE-2025-34075
Severity CVSS v4.0:
MEDIUM
Type:
CWE-94
Code Injection
Publication date:
02/07/2025
Last modified:
16/07/2025
Description
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.<br />
<br />
Initially assigned to document an issues that allows guest VM to modify the host’s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary. https://developer.hashicorp.com/vagrant/docs/synced-folders
Impact
Base Score 4.0
5.40
Severity 4.0
MEDIUM
References to Advisories, Solutions, and Tools
- https://developer.hashicorp.com/vagrant
- https://developer.hashicorp.com/vagrant/docs/synced-folders/basic_usage
- https://developer.hashicorp.com/vagrant/docs/vagrantfile
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/local/vagrant_synced_folder_vagrantfile_breakout.rb
- https://vulncheck.com/advisories/hashicorp-vagrant-synced-folder-vagrantfile-breakout
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/local/vagrant_synced_folder_vagrantfile_breakout.rb