CVE-2025-67487

MEDIUM EPSS 26.7%
Published Dec 9, 20256mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 4.0
Medium
Find Similar
Published Dec 9, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago

Description

Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links (symlinks) which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping the web server’s root directory. Therefore, if a malicious actor gains access to the web server’s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing. This issue is fixed in version 2.40.1.

CVSS Details

Base Score
5.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
26.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-59
CWE-61

Affected Products 1

VendorProductVersionRange
static-web-serverstatic_web_server* ≤2.40.0

References 2

  • github.com https://github.com/static-web-server/static-web-server/commit/308f0d26ceb9c2c8bd219315d0f53914763357f2
    Patch
  • github.com https://github.com/static-web-server/static-web-server/security/advisories/GHSA-459f-x8vq-xjjm
    Vendor Advisory

Remediation

  • github.com https://github.com/static-web-server/static-web-server/commit/308f0d26ceb9c2c8bd219315d0f53914763357f2
    Patch