GHSA-mxc8-4jqf-368q

Suggest an improvement
Source
https://github.com/advisories/GHSA-mxc8-4jqf-368q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-mxc8-4jqf-368q/GHSA-mxc8-4jqf-368q.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-mxc8-4jqf-368q
Published
2026-01-23T18:31:28Z
Modified
2026-01-23T20:37:28.140855Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
miniserve affected by a TOCTOU and symlink race vulnerability
Details

A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).

Database specific 
{
    "nvd_published_at": "2026-01-23T16:15:52Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-367",
        "CWE-59"
    ],
    "github_reviewed_at": "2026-01-23T20:16:21Z"
}
References

Affected packages

crates.io / miniserve

Package

Name
miniserve
View open source insights on deps.dev
Purl
pkg:cargo/miniserve

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.32.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-mxc8-4jqf-368q/GHSA-mxc8-4jqf-368q.json"