Security advisory for the standard library (CVE-2025-11233)
222 views
Skip to first unread message
Pietro Albini
Oct 1, 2025, 12:45:15 PMOct 1
to rustlang-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
## Security advisory for the standard library (CVE-2025-11233)
> **Note:** as the affected target is classified as tier 3 and was still
> incomplete at the time this vulnerability was discovered, the fix for this has
> been developed and released in the public months ago. Vulnerable code was
> published as part of our releases though: now that Rust is a CVE Numbering
> Authority we are backfilling a CVE ID for it.
Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target
(`x86_64-pc-cygwin`) didn't correctly handle path separators, causing the
standard library's Path API to ignore path components separated by backslashes.
Due to this, programs compiled for Cygwin that validate paths could misbehave,
potentially allowing path traversal attacks or malicious filesystem operations.
Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the
standard library for the Cygwin target. We recommend users of Cygwin targets to
upgrade to 1.89.0 or a later version.
This vulnerability is identified by CVE-2025-11233.
While we assess the severity of this vulnerability as "medium", please note that
the tier 3 Cygwin compilation target is only available when building it from
source: no pre-built binaries are distributed by the Rust project, and it cannot
be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin`
target you are not affected by this vulnerability. Users of the tier 1 MinGW
target (`x86_64-pc-windows-gnu`) are also explicitly not affected.
We want to thank RyotaK for reporting this issue.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEV2nIi/XdPRSiNKes77mGCudSDawFAmjdWacACgkQ77mGCudS
DazyYA/+Op4eFt5vs/LfiPV7tf+Le718qNADJ+CVJa1Fi9RIo4vY6SnI/SNhLD9i
ygVtWv/A9k5GxnDjvblLb0nNeiLo9Z4RH3OqP7xhS+QWNwyApc6RBxUrZ/JOjJTy
GqIZD5ujMhBGgOqurIFSyY5AGywjxV212vrzZJuU1hrFYXh15YebrT8h8TGesovk
uK8QKdStp0vdN69GS6+x8NbHKgYKHq4Fm1Fywriskt8KtZM47dN6y+VR155pauR3
QJvTfGoStupxjvr6v/e1vcfbp6g6BzilrwGSWo9uP6MTtkwCBBT5+ieoqgenyBXD
67nTjq0Xbe/TSV8Sd7Jk6OAPURasBGHIKf01vwZ+1iX5izO1t9XYKNdHYIk784i5
IaVog5hYoxuxlB6C8qhye/LMFgwHB0mxfnIiiPJc45yNeW4kSqGtZZ4P1Sv7d29+
tM56t3KbGkGFYZrnGyrHwK6fhCLRJ/BD6pJ8rSzq9YM+WFy2d7PtAMfLfab+X5sN
9PMZOv7GpI/u/dtvLL4AA2zMY2qZEK6JwhuTt8BsBM3yB/4X0lfii+tfX1ed5ADI
1CYJwz8toFg5Zk0KHxWdCfRGPMIja/61f3Mm8zP3x1WDDnyhyJdSSSeHnirl1Clu
FAZFXWfdFVi877tLvAKl45uh4Ki702COIzNw+6t9s/9r/2wUb0g=
=7T0M
-----END PGP SIGNATURE-----
Hash: SHA512
## Security advisory for the standard library (CVE-2025-11233)
> **Note:** as the affected target is classified as tier 3 and was still
> incomplete at the time this vulnerability was discovered, the fix for this has
> been developed and released in the public months ago. Vulnerable code was
> published as part of our releases though: now that Rust is a CVE Numbering
> Authority we are backfilling a CVE ID for it.
Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target
(`x86_64-pc-cygwin`) didn't correctly handle path separators, causing the
standard library's Path API to ignore path components separated by backslashes.
Due to this, programs compiled for Cygwin that validate paths could misbehave,
potentially allowing path traversal attacks or malicious filesystem operations.
Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the
standard library for the Cygwin target. We recommend users of Cygwin targets to
upgrade to 1.89.0 or a later version.
This vulnerability is identified by CVE-2025-11233.
While we assess the severity of this vulnerability as "medium", please note that
the tier 3 Cygwin compilation target is only available when building it from
source: no pre-built binaries are distributed by the Rust project, and it cannot
be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin`
target you are not affected by this vulnerability. Users of the tier 1 MinGW
target (`x86_64-pc-windows-gnu`) are also explicitly not affected.
We want to thank RyotaK for reporting this issue.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEV2nIi/XdPRSiNKes77mGCudSDawFAmjdWacACgkQ77mGCudS
DazyYA/+Op4eFt5vs/LfiPV7tf+Le718qNADJ+CVJa1Fi9RIo4vY6SnI/SNhLD9i
ygVtWv/A9k5GxnDjvblLb0nNeiLo9Z4RH3OqP7xhS+QWNwyApc6RBxUrZ/JOjJTy
GqIZD5ujMhBGgOqurIFSyY5AGywjxV212vrzZJuU1hrFYXh15YebrT8h8TGesovk
uK8QKdStp0vdN69GS6+x8NbHKgYKHq4Fm1Fywriskt8KtZM47dN6y+VR155pauR3
QJvTfGoStupxjvr6v/e1vcfbp6g6BzilrwGSWo9uP6MTtkwCBBT5+ieoqgenyBXD
67nTjq0Xbe/TSV8Sd7Jk6OAPURasBGHIKf01vwZ+1iX5izO1t9XYKNdHYIk784i5
IaVog5hYoxuxlB6C8qhye/LMFgwHB0mxfnIiiPJc45yNeW4kSqGtZZ4P1Sv7d29+
tM56t3KbGkGFYZrnGyrHwK6fhCLRJ/BD6pJ8rSzq9YM+WFy2d7PtAMfLfab+X5sN
9PMZOv7GpI/u/dtvLL4AA2zMY2qZEK6JwhuTt8BsBM3yB/4X0lfii+tfX1ed5ADI
1CYJwz8toFg5Zk0KHxWdCfRGPMIja/61f3Mm8zP3x1WDDnyhyJdSSSeHnirl1Clu
FAZFXWfdFVi877tLvAKl45uh4Ki702COIzNw+6t9s/9r/2wUb0g=
=7T0M
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages