2375965 – (CVE-2025-34075) CVE-2025-34075 vagrant: HashiCorp Vagrant Host Code Execution

Bug 2375965 (CVE-2025-34075) - CVE-2025-34075 vagrant: HashiCorp Vagrant Host Code Execution

Summary: CVE-2025-34075 vagrant: HashiCorp Vagrant Host Code Execution

Keywords:
Status:	NEW
Alias:	CVE-2025-34075
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2376003 2376004 2376005 2376006
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-02 20:01 UTC by OSIDB Bzimport
Modified:	2025-07-03 00:07 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-02 20:01:13 UTC

An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant when using the default synced folder configuration. By design, Vagrant automatically mounts the host system’s project directory into the guest VM under /vagrant (or C:\vagrant on Windows). This includes the Vagrantfile configuration file, which is a Ruby script evaluated by the host every time a vagrant command is executed in the project directory. If a low-privileged attacker obtains shell access to the guest VM, they can append arbitrary Ruby code to the mounted Vagrantfile. When a user on the host later runs any vagrant command, the injected code is executed on the host with that user’s privileges.

 While this shared-folder behavior is well-documented by Vagrant, the security implications of Vagrantfile execution from guest-writable storage are not explicitly addressed. This effectively enables guest-to-host code execution in multi-tenant or adversarial VM scenarios.

Note You need to log in before you can comment on or make changes to this bug.