Authenticated Virtual Machine Escape Vulnerability in HashiCorp Vagrant
CVE-2025-34075

5.4MEDIUM

Key Information:

Vendor

Hashicorp
Status
Vagrant
Vendor
CVE Published:
2 July 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-34075?

An authenticated virtual machine escape vulnerability has been identified in HashiCorp Vagrant that arises from the default synced folder configuration. Vagrant automatically mounts the project's directory from the host system into the guest VM, creating a shared space under /vagrant (or C:\vagrant on Windows). This setup allows a low-privileged attacker with shell access to the guest VM to inject arbitrary Ruby code into the Vagrantfile. This file is evaluated by the host system each time a Vagrant command is executed, leading to the potential execution of malicious code at the host's privilege level. While the behavior of shared folders is documented, the security risks associated with executing Vagrantfile from guest-writable storage are not clearly outlined, presenting significant threats, especially in multi-tenant environments.

Affected Version(s)

Vagrant 0 < 2.4.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34075 - Proof of Concept

References

https://developer.hashicorp.com/vagrant/docs/synced-folde...
producttechnical-description
https://developer.hashicorp.com/vagrant
product
https://developer.hashicorp.com/vagrant/docs/vagrantfile
producttechnical-description

CVSS V4

Score:
5.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

bcoles
.