CVE-2025-34075 - Vulnerability Details

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Initially assigned to document an issues that allows guest VM to modify the host’s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary. https://developer.hashicorp.com/vagrant/docs/synced-folders

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hashicorp	Vagrant

No data.

References

No reference.

History

Wed, 16 Jul 2025 13:30:00 +0000

Type	Values Removed	Values Added
Description	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Initially assigned to document an issues that allows guest VM to modify the host’s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary. https://developer.hashicorp.com/vagrant/docs/synced-folders
Metrics		epss `{}`

Thu, 10 Jul 2025 01:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-276 CWE-668 CWE-94
References	https://developer.hashicorp.com/vagrant https://developer.hashicorp.com/vagrant/docs/synced-folders/basic_usage https://developer.hashicorp.com/vagrant/docs/vagrantfile https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/local/vagrant_synced_folder_vagrantfile_breakout.rb https://vulncheck.com/advisories/hashicorp-vagrant-synced-folder-vagrantfile-breakout
Metrics	cvssV4_0 `{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Thu, 10 Jul 2025 01:15:00 +0000

Type	Values Removed	Values Added
Title	HashiCorp Vagrant Synced Folder Vagrantfile Breakout Host Code Execution
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 10 Jul 2025 00:45:00 +0000

Type	Values Removed	Values Added
Description	An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant when using the default synced folder configuration. By design, Vagrant automatically mounts the host system’s project directory into the guest VM under /vagrant (or C:\vagrant on Windows). This includes the Vagrantfile configuration file, which is a Ruby script evaluated by the host every time a vagrant command is executed in the project directory. If a low-privileged attacker obtains shell access to the guest VM, they can append arbitrary Ruby code to the mounted Vagrantfile. When a user on the host later runs any vagrant command, the injected code is executed on the host with that user’s privileges. While this shared-folder behavior is well-documented by Vagrant, the security implications of Vagrantfile execution from guest-writable storage are not explicitly addressed. This effectively enables guest-to-host code execution in multi-tenant or adversarial VM scenarios.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Metrics	cvssV4_0 `{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`	cvssV4_0 `{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Wed, 02 Jul 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 02 Jul 2025 19:30:00 +0000

Type	Values Removed	Values Added
Description		An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant when using the default synced folder configuration. By design, Vagrant automatically mounts the host system’s project directory into the guest VM under /vagrant (or C:\vagrant on Windows). This includes the Vagrantfile configuration file, which is a Ruby script evaluated by the host every time a vagrant command is executed in the project directory. If a low-privileged attacker obtains shell access to the guest VM, they can append arbitrary Ruby code to the mounted Vagrantfile. When a user on the host later runs any vagrant command, the injected code is executed on the host with that user’s privileges. While this shared-folder behavior is well-documented by Vagrant, the security implications of Vagrantfile execution from guest-writable storage are not explicitly addressed. This effectively enables guest-to-host code execution in multi-tenant or adversarial VM scenarios.
Title		HashiCorp Vagrant Synced Folder Vagrantfile Breakout Host Code Execution
Weaknesses		CWE-276 CWE-668 CWE-94
References		https://developer.hashicorp.com/vagrant https://developer.hashicorp.com/vagrant/docs/synced-folders/basic_usage https://developer.hashicorp.com/vagrant/docs/vagrantfile https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/local/vagrant_synced_folder_vagrantfile_breakout.rb https://vulncheck.com/advisories/hashicorp-vagrant-synced-folder-vagrantfile-breakout
Metrics		cvssV4_0 `{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`