CVE-2014-1624: pyxdg Arbitrary File Overwrite via Race Condition
3.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.17229%
CWE
Published
5/17/2022
Updated
10/16/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
AV:L/AC:M/Au:N/C:N/I:P/A:P
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pyxdg | pip | <= 0.25 | 0.26 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly names get_runtime_dir as the vulnerable function. The commit diff shows security improvements in this function: original code used basic mkdir/chmod without verifying directory ownership, symlink status, or access permissions. This allowed TOCTOU attacks where an attacker could first create a legitimate directory, then replace it with a symlink after validation. The CWE-59 classification confirms this is a link resolution issue. The patch adds lstat checks, ownership verification, and proper cleanup - directly addressing the vulnerability in this function.