miniserve, TOCTOU and symlink race vulnerability, Moderate severity

Listen to this Post

How the mentioned CVE works: This vulnerability affects miniserve version 0.32.0 during upload finalization when uploads are enabled. It involves a Time-of-Check Time-of-Use (TOCTOU) race condition combined with symbolic link attacks. The server checks the intended upload path within the document root but then uses it non-atomically for writing. An attacker with access to create or replace filesystem entries in the upload destination can exploit this by inserting a symbolic link after the path validation but before file write operations. By rapidly swapping a regular file with a symlink pointing to arbitrary locations outside the document root, uploaded content can be written to unintended files. This is feasible in shared writable directories or volumes, where the attacker controls file entries. The race window is narrow but exploitable through repeated attempts, potentially leading to overwriting of critical system files or configuration data. The vulnerability stems from insufficient synchronization and secure file handling in the upload process, allowing bypass of path restrictions.
Platform: miniserve
Version: 0.32.0
Vulnerability: TOCTOU symlink race
Severity: Moderate
date: Jan 23 2026

Prediction: Patch expected Jan 30 2026

What Undercode Say:

Analytics

!/bin/bash

Check miniserve version

miniserve –version

List upload directory contents

ls -la /upload/path/

Monitor file changes

inotifywait -m /upload/path/

Simulate symlink switching

ln -sf /target/file /upload/path/exploit

while true; do

mv /upload/path/exploit /upload/path/temp;

ln -sf /etc/passwd /upload/path/exploit;

sleep 0.1;

done

How Exploit

1. Identify writable upload directory.

2. Upload initial file to establish path.

3. Create symlink to target file outside root.

  1. Race condition by swapping symlink during upload finalization.

5. Repeated attempts to overwrite arbitrary files.

Protection from this CVE

Update to patched version.

Use isolated upload directories.

Implement atomic file operations.

Restrict filesystem permissions.

Disable uploads if unnecessary.

Impact

Arbitrary file overwrite.

Data corruption.

Potential privilege escalation.

Service disruption.

Unauthorized access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top