CVE-2018-12029
Description
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Phusion Passenger's Nginx module before 5.3.2 allows local privilege escalation via symlink replacement of a pid file.
Vulnerability
A race condition exists in the Nginx module of Phusion Passenger versions 3.x through 5.x prior to 5.3.2 [1][2]. The issue occurs when the passenger_instance_registry_dir is configured to a non-standard directory with permissions that allow the www-data user to write, e.g., /opt/mytmp [2]. When Passenger creates the control_process.pid file, it calls chown() to change the file's owner from root to www-data [2]. There is a time window between file creation and the chown() call during which an attacker can replace the file with a symlink [1][2].
Exploitation
An attacker already holding www-data privileges and with write access to the passenger_instance_registry_dir directory can exploit this race condition [2]. When Nginx is restarted, the module creates the pid file as root and then proceeds to change its ownership. The attacker must replace the legitimate file with a symbolic link targeting a sensitive file (e.g., root's crontab) before the chown() syscall executes [1]. The race window is short, but the attack can be repeated by restarting Nginx multiple times [2].
Impact
Successful exploitation results in the attacker (the www-data user) gaining ownership of any file on the filesystem that is targeted by the symlink [1][2]. This includes critical system files such as root's crontab, which can be subsequently modified to execute arbitrary commands with root privileges, leading to full local privilege escalation [1].
Mitigation
The vulnerability is fixed in Phusion Passenger version 5.3.2 [1][2]. Users should upgrade to this version or later. Gentoo users can update via emerge --sync && emerge --ask --verbose ">=www-apache/passenger-5.3.2" [4]. As a workaround, ensure that the passenger_instance_registry_dir is not writable by unprivileged users, or use the default directory which is not exploitable [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passengerRubyGems | >= 3.0.0, < 5.3.2 | 5.3.2 |
Affected products
2- ghsa-coords2 versionspkg:gem/passengerpkg:rpm/suse/rubygem-passenger&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012
>= 3.0.0, < 5.3.2+ 1 more
- (no CPE)range: >= 3.0.0, < 5.3.2
- (no CPE)range: < 5.0.18-12.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-jjcj-fgfm-9g9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-12029ghsaADVISORY
- security.gentoo.org/glsa/201807-02ghsavendor-advisoryx_refsource_GENTOOWEB
- blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixesghsaWEB
- blog.phusion.nl/passenger-5-3-2ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2018-12029.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2018/06/msg00007.htmlghsamailing-listx_refsource_MLISTWEB
- pulsesecurity.co.nz/advisories/phusion-passenger-priv-escghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.