CVE-2018-12027
Description
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said socket are writable by a normal user that is not the application's user, then that non-application user can swap that directory with something else, resulting in traffic being redirected to a non-application user's process through an alternative Unix domain socket.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Phusion Passenger 5.3.x before 5.3.2 has an insecure permissions vulnerability in SpawningKit that allows local attackers to redirect Unix domain socket traffic.
Vulnerability
An insecure permissions vulnerability exists in Phusion Passenger versions 5.3.x prior to 5.3.2 within the SpawningKit component [1][2]. When a Passenger-spawned application process reports that it listens on a certain Unix domain socket, if any of the parent directories of that socket are writable by a normal user other than the application's user, the non-application user can swap that directory with an alternative one. This results in traffic being redirected to a process controlled by the non-application user through an alternative Unix domain socket, leading to information disclosure [1].
Exploitation
The attacker must be a local user with write access to a parent directory of the Unix domain socket used by the Passenger-spawned application process [1]. The attacker does not need to be the application's user. By swapping the directory, the attacker can intercept or redirect socket-based communication intended for the legitimate application process to a socket they control [1].
Impact
Successful exploitation leads to redirection of traffic intended for the legitimate application process. This can result in information disclosure, as the attacker can intercept data sent over the Unix domain socket [1][4]. The impact is limited to local users with the required directory write permissions.
Mitigation
Users should upgrade to Phusion Passenger version 5.3.2 or later, where this vulnerability is fixed [1][2]. Gentoo users can update via the package manager with emerge --ask --oneshot --verbose ">=www-apache/passenger-5.3.2" [4]. No known workaround is available for unpatched versions [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passengerRubyGems | >= 5.3.0, < 5.3.2 | 5.3.2 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-whfx-877c-5p28ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-12027ghsaADVISORY
- security.gentoo.org/glsa/201807-02ghsavendor-advisoryx_refsource_GENTOOWEB
- blog.phusion.nl/passenger-5-3-2ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12027.ymlghsaWEB
News mentions
0No linked articles in our index yet.