CVE-2025-34075

{"id": "CVE-2025-34075", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-02T20:15:29.553", "references": [{"url": "https://developer.hashicorp.com/vagrant", "source": "disclosure@vulncheck.com"}, {"url": "https://developer.hashicorp.com/vagrant/docs/synced-folders/basic_usage", "source": "disclosure@vulncheck.com"}, {"url": "https://developer.hashicorp.com/vagrant/docs/vagrantfile", "source": "disclosure@vulncheck.com"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/local/vagrant_synced_folder_vagrantfile_breakout.rb", "source": "disclosure@vulncheck.com"}, {"url": "https://vulncheck.com/advisories/hashicorp-vagrant-synced-folder-vagrantfile-breakout", "source": "disclosure@vulncheck.com"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/local/vagrant_synced_folder_vagrantfile_breakout.rb", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-276"}, {"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant when using the default synced folder configuration. By design, Vagrant automatically mounts the host system\u2019s project directory into the guest VM under /vagrant (or C:\\vagrant on Windows). This includes the Vagrantfile configuration file, which is a Ruby script evaluated by the host every time a vagrant command is executed in the project directory. If a low-privileged attacker obtains shell access to the guest VM, they can append arbitrary Ruby code to the mounted Vagrantfile. When a user on the host later runs any vagrant command, the injected code is executed on the host with that user\u2019s privileges.\n\n While this shared-folder behavior is well-documented by Vagrant, the security implications of Vagrantfile execution from guest-writable storage are not explicitly addressed. This effectively enables guest-to-host code execution in multi-tenant or adversarial VM scenarios."}, {"lang": "es", "value": "Existe una vulnerabilidad de escape de m\u00e1quina virtual autenticada en HashiCorp Vagrant al usar la configuraci\u00f3n predeterminada de carpetas sincronizadas. Por dise\u00f1o, Vagrant monta autom\u00e1ticamente el directorio del proyecto del sistema host en la m\u00e1quina virtual invitada, bajo /vagrant (o C:\\vagrant en Windows). Esto incluye el archivo de configuraci\u00f3n Vagrantfile, un script de Ruby que el host eval\u00faa cada vez que se ejecuta un comando de Vagrant en el directorio del proyecto. Si un atacante con pocos privilegios obtiene acceso de shell a la m\u00e1quina virtual invitada, puede a\u00f1adir c\u00f3digo Ruby arbitrario al Vagrantfile montado. Cuando un usuario del host ejecuta posteriormente cualquier comando de Vagrant, el c\u00f3digo inyectado se ejecuta en el host con los privilegios de ese usuario. Si bien Vagrant documenta exhaustivamente este comportamiento de carpeta compartida, no se abordan expl\u00edcitamente las implicaciones de seguridad de la ejecuci\u00f3n de Vagrantfile desde el almacenamiento con permisos de escritura del hu\u00e9sped. Esto permite la ejecuci\u00f3n de c\u00f3digo de hu\u00e9sped a host en escenarios de m\u00e1quinas virtuales multiinquilino o adversarias."}], "lastModified": "2025-07-03T15:13:53.147", "sourceIdentifier": "disclosure@vulncheck.com"}