Kea configuration and API directives can be used to...
        
  Moderate severity
        
          Unreviewed
      
        Published
          May 28, 2025 
          to the GitHub Advisory Database
          •
          Updated May 28, 2025 
      
  
Description
        Published by the National Vulnerability Database
      May 28, 2025 
    
  
        Published to the GitHub Advisory Database
      May 28, 2025 
    
  
        Last updated
      May 28, 2025 
    
  
Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.
This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
References