CVE-2025-27148: Gradle vulnerable to local privilege escalation through system temporary directory
Description
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. On Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. This library initialization could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. Gradle builds that rely on versions of net.rubygrapefruit:native-platform prior to 0.22-milestone-28 could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory.
In net.rubygrapefruit:native-platform prior to version 0.22-milestone-28, if the `Native.get(Class<>)` method was called, without calling `Native.init(File)` first, with a non-`null` argument used as working file path, then the library would initialize itself using the system temporary directory and NativeLibraryLocator.java lines 68 through 78. Version 0.22-milestone-28 has been released with changes that fix the problem. Initialization is now mandatory and no longer uses the system temporary directory, unless such a path is passed for initialization. The only workaround for affected versions is to make sure to do a proper initialization, using a location that is safe.
Gradle 8.12, only that exact version, had codepaths where the initialization of the underlying native integration library took a default path, re...
Classification
CVE ID: CVE-2025-27148
CVSS Base Severity: HIGH
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Problem Types
CWE-378: Creation of Temporary File With Insecure Permissions CWE-379: Creation of Temporary File in Directory with Insecure PermissionsAffected Products
Vendor: gradle
Product: gradle
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.02% (probability of being exploited)
EPSS Percentile: 3.02% (scored less or equal to compared to others)
EPSS Date: 2025-03-26 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-27148https://github.com/gradle/gradle/security/advisories/GHSA-465q-w4mf-4f4r
https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336
https://github.com/gradle/native-platform/security/advisories/GHSA-2xxp-vw2f-p3x8
https://github.com/gradle/gradle/pull/32025
https://github.com/gradle/native-platform/pull/353
https://en.wikipedia.org/wiki/Fstab#Options_common_to_all_filesystems
https://en.wikipedia.org/wiki/Sticky_bit
https://github.com/gradle/native-platform/blob/574dfe8d9fb546c990436468d617ab81c140871d/native-platform/src/main/java/net/rubygrapefruit/platform/internal/NativeLibraryLocator.java#L68-L78