Svenstaro Miniserve Arbitrary File Overwrite Vulnerability via TOCTOU and Symlink Race

A vulnerability in Svenstaro Miniserve version 0.32.0 has been identified, allowing for arbitrary file overwrites through a time-of-check to time-of-use (TOCTOU) race condition combined with symlink following. When file uploads are enabled, an attacker who can create or replace filesystem entries in the upload destination directory may exploit this vulnerability. The issue arises during the upload finalization process, where the application can be tricked into overwriting files outside the intended upload or document root.

Impact

Exploitation of this vulnerability leads to arbitrary file overwrites. In some cases, this could be chained to execute commands by overwriting files that are later executed, such as shell initialization files or service configurations, depending on the privileges of the Miniserve process and the writable targets.

Reproduction

To reproduce this vulnerability, upload a file to a Miniserve instance with version 0.32.0 using the upload feature. Simultaneously, create a symlink in the upload destination directory that points to a file outside the intended document root. Miniserve will follow the symlink and overwrite the target file with the uploaded content. This can be automated with a script that manages the timing of the symlink replacement and the upload requests.

Remediation

Users are advised to run Miniserve as a low-privilege user with minimal writable files, avoid shared writable directories or volumes, and consider placing the upload temporary directory on the same filesystem as the destination directory to reduce the risk of cross-filesystem exploitation.