CVE-2025-29787 - zip Crate Arbitrary File Overwrite Vulnerability in Rust Library

The zip crate is a widely used Rust library for handling zip archives and allows reading and writing simple ZIP files. Recently, a critical vulnerability(CVE-2025-29787) has been discovered in affected versions of the zip crate, ranging from version 1.3. to versions prior to 2.3.. The vulnerability arises due to a lack of validation of the final canonicalized path when extracting symbolic links from maliciously crafted archive files, which could lead to arbitrary file overwrite and, ultimately, potential code execution. The vulnerability affects users who use the high-level API method to extract untrusted archive files.

Vulnerability and Exploit Details

The vulnerability lies in the archive extraction routine of the zip crate, specifically in the handling of symbolic links. When extracting archive files containing symbolic links, the zip crate fails to validate whether the final canonicalized path is within the boundaries of the original specified extraction directory. This allows an attacker to create a malicious archive file containing symbolic links to critical system files and escalate their privileges. When this malicious archive is extracted using the affected versions of the zip crate, it may lead to arbitrary file overwrites and potentially compromise the security of the system, resulting in potential code execution.

Here's a code snippet that demonstrates how the high-level API method for extracting archive files can be exploited:

use std::fs::File;
use zip::read::ZipArchive;

fn vulnerable_extract(zip_path: &str, outpath: &str) {
    // Opening the provided zip file.
    let file = File::open(&zip_path).unwrap();
    let mut archive = ZipArchive::new(file).unwrap();

    // Extracting the zip file's contents.
    for i in ..archive.len() {
        let mut file = archive.by_index(i).unwrap();
        let outpath = outpath.join(file.mangled_name());
        // Unchecked symlink extraction.
        if file.is_symlink() {
            std::os::unix::fs::symlink(file.unix_mode().unwrap(), &outpath).unwrap();
        } else {
            let mut outfile = File::create(&outpath).unwrap();
            std::io::copy(&mut file, &mut outfile).unwrap();
        }
    }
}

Mitigation

The issue has been fixed in version 2.3. of the zip crate. Users are advised to update their dependency on the zip crate by specifying the following in the Cargo.toml manifest file:

[dependencies]
zip = "2.3."

To avoid this vulnerability, always update to the latest version of the libraries and packages you're using.

Original References

- RustSec Advisory: Contains detailed information about the vulnerability.
- zip Crate on crates.io: The official page for the zip crate, which you can follow for updates and complete documentation.
- CVE-2025-29787 Record on NVD: The official listing for the vulnerability on the National Vulnerability Database.

Conclusion

It is crucial for users to always keep their dependencies up to date and follow best practices when handling untrusted inputs, such as archive files. The vulnerability in the zip crate serves as an important lesson for developers working with Rust and library maintainers alike to remain vigilant for potential security risks in their software. Be sure to update to version 2.3. or higher to address this issue.

Timeline

Published on: 03/17/2025 14:15:22 UTC
Last modified on: 03/19/2025 15:50:49 UTC