GNU nano creates a user‑specific directory called ~/.local with overly permissive permissions when it does not yet exist. The editor explicitly requests mode 0777 for this directory during the first XDG data storage operation, making it world‑writable in environments that do not enforce a restrictive umask. A local attacker who can run nano on the same system can exploit a window between the directory’s creation and the subsequent creation of more restrictive subdirectories. By writing attacker‑controlled files into the XDG hierarchy, the attacker can potentially alter configuration or execution environment of applications that read files from ~/.local, leading to privilege abuse or local compromise. The weakness is a mis‑configuration that results in improper access control during directory creation (CWE‑732).

The vulnerability affects the GNU nano text editor. All releases prior to nano 9.0 create the ~/.local directory with world‑writable permissions. Systems that rely on nano for user interaction and that use a relaxed umask, such as container environments, CI/CD runners, embedded devices, or user shells set to umask 000, are at risk. The flaw is mitigated in nano 9.0 and later where the default directory mode is restricted.

The CVSS score of 2.1 indicates low severity, and the EPSS score was not reported. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to a process that can run nano; the attacker must also be able to observe or influence the race between the creation of ~/.local and the creation of subdirectories. Because of this race condition and the local nature of the flaw, the likelihood of exploitation is low, but in environments with a zero or very permissive umask the risk is higher. The attacker can use the malicious file to influence programs that read from the XDG directory hierarchy, potentially enabling local privilege escalation or denial of service of user applications.