{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-9810", "assignerOrgId": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "state": "PUBLISHED", "assignerShortName": "CyberArk", "dateReserved": "2025-09-01T18:48:53.813Z", "datePublished": "2025-09-01T19:03:19.540Z", "dateUpdated": "2025-09-02T16:13:46.132Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["linenoiseHistorySave"], "product": "linenoise", "programFiles": ["linenoise.c"], "vendor": "antirez", "versions": [{"status": "affected", "version": "0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "@disconnect3d"}, {"lang": "en", "type": "analyst", "value": "Simcha Kosman"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">TOCTOU </span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;in </span><code>linenoiseHistorySave</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;in </span><code>linenoise</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;allows local attackers to overwrite arbitrary files and change permissions via a symlink race between </span><code>fopen(\"w\")</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;on the history path and subsequent </span><code>chmod()</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;on the same path.</span>"}], "value": "TOCTOU \u00a0in linenoiseHistorySave\u00a0in linenoise\u00a0allows local attackers to overwrite arbitrary files and change permissions via a symlink race between fopen(\"w\")\u00a0on the history path and subsequent chmod()\u00a0on the same path."}], "impacts": [{"capecId": "CAPEC-132", "descriptions": [{"lang": "en", "value": "CAPEC-132 Symlink Attack"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "shortName": "CyberArk", "dateUpdated": "2025-09-01T19:03:19.540Z"}, "references": [{"url": "https://github.com/antirez/linenoise/blob/master/linenoise.c#L1321"}, {"url": "https://github.com/antirez/linenoise/pull/202"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "call fchmod() on the fd instead of chmod() on the path\n\n<br>"}], "value": "call fchmod() on the fd instead of chmod() on the path"}], "source": {"discovery": "UNKNOWN"}, "title": "TOCTOU race in Linenoise enables arbitrary file overwrite and permission changes", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-02T16:13:30.664402Z", "id": "CVE-2025-9810", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-02T16:13:46.132Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9810", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-02T16:13:30.664402Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-02T16:13:43.003Z"}}], "cna": {"title": "TOCTOU race in Linenoise enables arbitrary file overwrite and permission changes", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "@disconnect3d"}, {"lang": "en", "type": "analyst", "value": "Simcha Kosman"}], "impacts": [{"capecId": "CAPEC-132", "descriptions": [{"lang": "en", "value": "CAPEC-132 Symlink Attack"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "antirez", "modules": ["linenoiseHistorySave"], "product": "linenoise", "versions": [{"status": "affected", "version": "0"}], "programFiles": ["linenoise.c"], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "call fchmod() on the fd instead of chmod() on the path", "supportingMedia": [{"type": "text/html", "value": "call fchmod() on the fd instead of chmod() on the path\n\n<br>", "base64": false}]}], "references": [{"url": "https://github.com/antirez/linenoise/blob/master/linenoise.c#L1321"}, {"url": "https://github.com/antirez/linenoise/pull/202"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "TOCTOU \u00a0in linenoiseHistorySave\u00a0in linenoise\u00a0allows local attackers to overwrite arbitrary files and change permissions via a symlink race between fopen(\"w\")\u00a0on the history path and subsequent chmod()\u00a0on the same path.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">TOCTOU </span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;in </span><code>linenoiseHistorySave</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;in </span><code>linenoise</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;allows local attackers to overwrite arbitrary files and change permissions via a symlink race between </span><code>fopen(\"w\")</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;on the history path and subsequent </span><code>chmod()</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;on the same path.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "shortName": "CyberArk", "dateUpdated": "2025-09-01T19:03:19.540Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9810", "state": "PUBLISHED", "dateUpdated": "2025-09-02T16:13:46.132Z", "dateReserved": "2025-09-01T18:48:53.813Z", "assignerOrgId": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "datePublished": "2025-09-01T19:03:19.540Z", "assignerShortName": "CyberArk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "TOCTOU \u00a0in linenoiseHistorySave\u00a0in linenoise\u00a0allows local attackers to overwrite arbitrary files and change permissions via a symlink race between fopen(\"w\")\u00a0on the history path and subsequent chmod()\u00a0on the same path."}], "id": "CVE-2025-9810", "lastModified": "2025-09-02T15:55:25.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.2, "source": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "type": "Secondary"}]}, "published": "2025-09-01T19:15:32.573", "references": [{"source": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "url": "https://github.com/antirez/linenoise/blob/master/linenoise.c#L1321"}, {"source": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "url": "https://github.com/antirez/linenoise/pull/202"}], "sourceIdentifier": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "type": "Secondary"}]}

{"bugzilla": {"description": "linenoise: TOCTOU race in Linenoise enables arbitrary file overwrite and permission changes", "id": "2392437", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392437"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "status": "draft"}, "cwe": "CWE-367", "details": ["A time-of-check to time-of-use (TOCTOU) race condition exists in linenoise's linenoiseHistorySave() function, where the history file is first opened with fopen(\"w\") and subsequently modified with chmod(). This vulnerability allows a local attacker to manipulate a symbolic link between these two operations: first, pointing the symlink to a sensitive file at the time of opening, and then switching it to another file before the permission change. This flaw allows arbitrary file overwrite or unintended permission modifications."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security's standards for usability, deployment, applicability, or stability."}, "name": "CVE-2025-9810", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "valkey", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "redis:6/redis", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "redis", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "redis:7/redis", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "valkey", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-01T19:03:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-9810\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-9810\nhttps://github.com/antirez/linenoise/blob/master/linenoise.c#L1321\nhttps://github.com/antirez/linenoise/pull/202"], "statement": "This vulnerability allows a local, unauthenticated attacker to race linenoiseHistorySave() and overwrite arbitrary files with the calling process\u2019s privileges or change permissions on unrelated files, potentially disrupting system integrity and availability. While the confidentiality impact is none, the integrity impact is high and the availability impact is low, yielding a Moderate severity of CVSS 6.8. Downstream tools that embed linenoise, such as redis-cli, are affected when writing history to attacker-controllable locations.", "threat_severity": "Moderate"}