CVE-2025-29787: zip Incorrectly Canonicalizes Paths during Archive Extraction Leading to Arbitrary File Write
(updated )
In the archive extraction routine of affected versions of the zip crate, symbolic links earlier in the archive are allowed to be used for later files in the archive without validation of the final canonicalized path, allowing maliciously crafted archives to overwrite arbitrary files in the file system when extracted.
References
- gist.github.com/eternal-flame-AD/bf71ef4f6828e741eb12ce7fd47b7b85
- github.com/advisories/GHSA-94vh-gphv-8pm8
- github.com/zip-rs/zip2
- github.com/zip-rs/zip2/commit/a2e062f37066c3b12860a32eb1cb44856cfb7afe
- github.com/zip-rs/zip2/releases/tag/v2.3.0
- github.com/zip-rs/zip2/security/advisories/GHSA-94vh-gphv-8pm8
- nvd.nist.gov/vuln/detail/CVE-2025-29787
Code Behaviors & Features
Detect and mitigate CVE-2025-29787 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →