CVE-2025-27148
📋 TL;DR
This vulnerability allows local privilege escalation on Unix-like systems when Gradle builds use vulnerable versions of the native-platform library. Attackers can exploit insecure temporary directory permissions to delete and recreate files, potentially gaining elevated privileges. Only Gradle 8.12 users on Unix-like systems without proper temporary directory protections are affected.
💻 Affected Systems
- Gradle
- net.rubygrapefruit:native-platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains root privileges on the system, enabling complete system compromise and data exfiltration.
Likely Case
Local user escalates privileges to execute arbitrary code with higher permissions than intended.
If Mitigated
No impact when proper temporary directory permissions or workarounds are implemented.
🎯 Exploit Status
Requires local access and race condition exploitation in temporary directory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Gradle 8.12.1 or 8.13; native-platform 0.22-milestone-28
Vendor Advisory: https://github.com/gradle/gradle/security/advisories/GHSA-465q-w4mf-4f4r
Restart Required: No
Instructions:
1. Update Gradle to version 8.12.1 or 8.13. 2. Update native-platform dependency to 0.22-milestone-28 or later. 3. Rebuild projects with updated versions.
🔧 Temporary Workarounds
Set sticky bit on /tmp
Unix-likePrevents users from deleting files they don't own in temporary directory
chmod +t /tmp
Mount /tmp with noexec
Unix-likePrevents execution of binaries from temporary directory
Edit /etc/fstab to add 'noexec' option to /tmp mount
Change Java temporary directory
allMove temporary directory to secure location with restricted permissions
java -Djava.io.tmpdir=/secure/tmp/path ...
🧯 If You Can't Patch
- Ensure proper initialization of native library with Native.init(File) using secure path
- Implement strict file permissions on system temporary directory
🔍 How to Verify
Check if Vulnerable:
Check Gradle version: gradle --version | grep 'Gradle 8.12' (exact match). Check if on Unix-like system without /tmp sticky bit.Check Version:
gradle --versionVerify Fix Applied:
Verify Gradle version is 8.12.1 or higher. Check native-platform dependency version in build.gradle.📡 Detection & Monitoring
Log Indicators:
- Unusual file operations in /tmp directory during Gradle builds
- Permission denied errors when accessing temporary files
Network Indicators:
- None - local attack only
SIEM Query:
Process execution: gradle AND File creation/deletion in /tmp with rapid succession🔗 References
- https://en.wikipedia.org/wiki/Fstab#Options_common_to_all_filesystems
- https://en.wikipedia.org/wiki/Sticky_bit
- https://github.com/gradle/gradle/pull/32025
- https://github.com/gradle/gradle/security/advisories/GHSA-465q-w4mf-4f4r
- https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336
- https://github.com/gradle/native-platform/blob/574dfe8d9fb546c990436468d617ab81c140871d/native-platform/src/main/java/net/rubygrapefruit/platform/internal/NativeLibraryLocator.java#L68-L78
- https://github.com/gradle/native-platform/pull/353
- https://github.com/gradle/native-platform/security/advisories/GHSA-2xxp-vw2f-p3x8
