-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pyxdg | pip | <= 0.25 | 0.26 |
Miggo AIRoot Cause AnalysisThe vulnerability description explicitly names get_runtime_dir as the vulnerable function. The commit diff shows security improvements in this function: original code used basic mkdir/chmod without verifying directory ownership, symlink status, or access permissions. This allowed TOCTOU attacks where an attacker could first create a legitimate directory, then replace it with a symlink after validation. The CWE-59 classification confirms this is a link resolution issue. The patch adds lstat checks, ownership verification, and proper cleanup - directly addressing the vulnerability in this function.
PythonPythonOngoing coverage of React2Shell