CVE-2025-3908 | THREATINT

Description

The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and permissions of that destination directory.

PUBLISHED Reserved 2025-04-23 | Published 2025-05-19 | Updated 2025-05-20 | Assigner OpenVPN

Problem types

CWE-59 Improper Link Resolution Before File Access ('Link Following')

Product status

Default status

unaffected

v20 (semver)

affected

References

www.openwall.com/lists/oss-security/2025/05/20/2

community.openvpn.net/Security Announcements/CVE-2025-3908

cve.org (CVE-2025-3908)

nvd.nist.gov (CVE-2025-3908)

Download JSON