Symlink Attack Affecting miniserve package, versions >=0.0.0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-MINISERVE-15091552
- published25 Jan 2026
- disclosed23 Jan 2026
- creditAli Firas
Introduced: 23 Jan 2026
NewCVE-2025-67124 (opens in a new tab)How to fix?
There is no fixed version for miniserve.
Overview
Affected versions of this package are vulnerable to Symlink Attack via the upload finalization process. An attacker can overwrite arbitrary files outside the intended directory by exploiting a race condition involving symbolic links and time-of-check to time-of-use discrepancies. This is only exploitable if uploads are enabled and the attacker has the ability to create or replace filesystem entries in the upload destination directory, such as in a shared writable directory or volume.