Local Privilege Escalation Vulnerability in Gradle's Native-Platform Tool
CVE-2025-27148

8.8HIGH

Key Information:

Vendor
Gradle
Status
Gradle
Vendor
CVE Published:
25 February 2025

Summary

The Gradle's native-platform tool on Unix-like systems was found to create system temporary directories with open permissions, allowing unauthorized users to manipulate files, leading to potential local privilege escalation. This vulnerability arises from improper initialization of the library when the Native.get(Class<>) method is called without the required Native.init(File) invocation. Users of Gradle versions before 8.12 are advised to update to the patched versions (8.12.1 and later) to mitigate this issue. Affected users can also take precautions by ensuring the ‘sticky’ bit is set on the temporary directory, limiting the ability to delete files to the owner only.

Affected Version(s)

gradle = 8.12

References

https://github.com/gradle/gradle/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/gradle/gradle/security/advisories/GHSA...
x_refsource_MISC
https://github.com/gradle/native-platform/security/adviso...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.