CVE-2025-10937
Description
Oxford Nanopore Technologies' MinKNOW software at or prior to version 24.11 creates a temporary file to store the local authentication token during startup, before copying it to its final location. This temporary file is created in a directory accessible to all users on the system. An unauthorized local user or process can exploit this behavior by placing a file lock on the temporary token file using the flock system call. This prevents MinKNOW from completing the token generation process. As a result, no valid local token is created, and the software is unable to execute commands on the sequencer. This leads to a denial-of-service (DoS) condition, blocking sequencing operations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MinKNOW prior to 24.11 creates a world-readable temporary token file that a local attacker can lock, causing a denial of service by blocking sequencing operations.
Vulnerability
CVE-2025-10937 in Oxford Nanopore Technologies' MinKNOW software (versions at or prior to 24.11) stems from an insecure temporary file creation during startup. The software generates a local authentication token in a temporary file located in a system directory accessible to all users, before copying it to its final secure location [1]. This violates the principle of least privilege by exposing credentials in a world-readable path [2].
Exploitation requires local access to the host machine. An unauthorized user or process can place a file lock on the temporary token file using the flock system call. This prevents MinKNOW from completing the token generation process, resulting in no valid local token being created [1]. The attack does not require elevated privileges, only the ability to execute code or scripts on the system.
The impact is a denial-of-service (DoS) condition that blocks the software from executing commands on the sequencer, effectively halting all sequencing operations [1]. This can disrupt critical research or diagnostic workflows that depend on continuous data acquisition.
Oxford Nanopore Technologies has addressed this vulnerability in MinKNOW version 24.11 and later [1]. Users are advised to update to the latest version available from the vendor's software portal [4]. No workaround is documented; upgrading is the recommended mitigation.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=24.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.