Description

`zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction routine of affected versions of the `zip` crate starting with version 1.3.0 and prior to version 2.3.0, symbolic links earlier in the archive are allowed to be used for later files in the archive without validation of the final canonicalized path, allowing maliciously crafted archives to overwrite arbitrary files in the file system when extracted. Users who extract untrusted archive files using the following high-level API method may be affected and critical files on the system may be overwritten with arbitrary file permissions, which can potentially lead to code execution. Version 2.3.0 fixes the issue.

INFO

Published Date :

2025-03-17T13:19:23.925Z

Last Modified :

2025-03-19T15:50:49.160Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-29787 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-29787.

URL Resource
https://gist.github.com/eternal-flame-AD/bf71ef4f6828e741eb12ce7fd47b7b85 cve-icon cve-icon
https://github.com/zip-rs/zip2/commit/a2e062f37066c3b12860a32eb1cb44856cfb7afe cve-icon cve-icon
https://github.com/zip-rs/zip2/releases/tag/v2.3.0 cve-icon cve-icon
https://github.com/zip-rs/zip2/security/advisories/GHSA-94vh-gphv-8pm8 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability