We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-34075

HashiCorp Vagrant Synced Folder Vagrantfile Breakout Host Code Execution



Description

An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant when using the default synced folder configuration. By design, Vagrant automatically mounts the host system’s project directory into the guest VM under /vagrant (or C:\vagrant on Windows). This includes the Vagrantfile configuration file, which is a Ruby script evaluated by the host every time a vagrant command is executed in the project directory. If a low-privileged attacker obtains shell access to the guest VM, they can append arbitrary Ruby code to the mounted Vagrantfile. When a user on the host later runs any vagrant command, the injected code is executed on the host with that user’s privileges. While this shared-folder behavior is well-documented by Vagrant, the security implications of Vagrantfile execution from guest-writable storage are not explicitly addressed. This effectively enables guest-to-host code execution in multi-tenant or adversarial VM scenarios.

Reserved 2025-04-15 | Published 2025-07-02 | Updated 2025-07-02 | Assigner VulnCheck


MEDIUM: 5.4CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-276 Incorrect Default Permissions

CWE-668 Exposure of Resource to Wrong Sphere

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

Any version before 2.4.0
affected

Credits

bcoles finder

References

developer.hashicorp.com/...t/docs/synced-folders/basic_usage product technical-description

developer.hashicorp.com/vagrant product

developer.hashicorp.com/vagrant/docs/vagrantfile product technical-description

raw.githubusercontent.com/..._folder_vagrantfile_breakout.rb exploit

vulncheck.com/...-vagrant-synced-folder-vagrantfile-breakout third-party-advisory

cve.org (CVE-2025-34075)

nvd.nist.gov (CVE-2025-34075)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-34075

Support options

Helpdesk Chat, Email, Knowledgebase