CVE-2025-11233
Gravedad CVSS v4.0:
MEDIA
Tipo:
CWE-22
Limitación incorrecta de nombre de ruta a un directorio restringido (Path Traversal)
Fecha de publicación:
01/10/2025
Última modificación:
02/10/2025
Descripción
*** Pendiente de traducción *** Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn&#39;t correctly handle path separators, causing the standard library&#39;s Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations.<br />
<br />
<br />
<br />
<br />
Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target.<br />
<br />
<br />
<br />
While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin` target you are not affected by this vulnerability. Users of the tier 1 MinGW target (`x86_64-pc-windows-gnu`) are also explicitly not affected.