2414630 – (CVE-2025-61667) CVE-2025-61667 github.com/DataDog/datadog-agent: Datadog Linux Host Agent local privilege escalation

Bug 2414630 (CVE-2025-61667) - CVE-2025-61667 github.com/DataDog/datadog-agent: Datadog Linux Host Agent local privilege escalation

Summary: CVE-2025-61667 github.com/DataDog/datadog-agent: Datadog Linux Host Agent loc...

Keywords:
Status:	NEW
Alias:	CVE-2025-61667
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-12 19:01 UTC by OSIDB Bzimport
Modified:	2025-11-12 20:24 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-12 19:01:40 UTC

The Datadog Agent collects events and metrics from hosts and sends them to Datadog. A vulnerability within the Datadog Linux Host Agent versions 7.65.0 through 7.70.2 exists due to insufficient permissions being set on the `opt/datadog-agent/python-scripts/__pycache__` directory during installation. Code in this directory is only run by the Agent during Agent install/upgrades.  This could allow an attacker with local access to modify files in this directory, which would then subsequently be run when the Agent is upgraded, resulting in local privilege escalation. This issue requires local access to the host and a valid low privilege account to be vulnerable. Note that this vulnerability only impacts the Linux Host Agent. Other variations of the Agent including the container, kubernetes, windows host and other agents are not impacted. Version 7.71.0 contains a patch for the issue.

Note You need to log in before you can comment on or make changes to this bug.