Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Initially assigned to document an issues that allows guest VM to modify the host’s Vagrantfile via default synced folder, leading to host-side code execution. Rejected as CVE due to documented, intended behavior that does not violate a claimed security boundary. https://developer.hashicorp.com/vagrant/docs/synced-folders
https://vulncheck.com/advisories/hashicorp-vagrant-synced-folder-vagrantfile-breakout
https://developer.hashicorp.com/vagrant/docs/vagrantfile
https://developer.hashicorp.com/vagrant/docs/synced-folders/basic_usage
Published: 2025-07-02
Updated: 2025-07-16
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 5.4
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Severity: Medium
EPSS: 0.00018