Platform
rust
Component
zip
Fixed in
1.3.1
2.3.0
CVE-2025-29787 describes an Arbitrary File Access vulnerability within the zip crate, a Rust library for handling ZIP archives. This flaw allows attackers to overwrite arbitrary files on a system during archive extraction by exploiting improper handling of symbolic links. Versions of the zip crate prior to 2.3.0 are affected, and a fix has been released. This vulnerability is a variant of the known 'zip-slip' vulnerability.
The core of this vulnerability lies in the zip crate's archive extraction routine. Malicious actors can craft ZIP archives containing symbolic links. If these symbolic links point to directories outside the intended extraction target, the crate, in earlier versions, fails to properly validate the final, canonicalized path. This allows subsequent files within the archive to be written to arbitrary locations on the file system. The potential impact is severe, ranging from data corruption and privilege escalation to complete system compromise, depending on the permissions of the user extracting the archive and the locations targeted by the attacker. This is similar to the broader 'zip-slip' vulnerability, where attackers can leverage archive structures to bypass security controls.
CVE-2025-29787 is a relatively recent disclosure, published on 2025-03-17. It's considered a variant of the well-known 'zip-slip' vulnerability, which has seen prior exploitation. The EPSS score is pending evaluation, but given the potential for arbitrary file access and the similarity to other exploited zip-slip vulnerabilities, a medium to high probability of exploitation is likely. There are currently no publicly available exploits, but the vulnerability's nature makes it a likely target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.27% (51% percentile)
CISA SSVC
The primary mitigation is to upgrade to version 2.3.0 or later of the zip crate. This version includes the necessary fixes to properly validate symbolic link paths during extraction, preventing the arbitrary file access. If upgrading is not immediately feasible, consider implementing robust path validation within your extraction logic. This involves canonicalizing file paths before writing to the file system and ensuring they remain within the intended extraction directory. Web application firewalls (WAFs) or proxy servers can be configured to inspect ZIP archives for suspicious symbolic links before allowing them to be processed. Detection signatures, such as YARA rules, can be crafted to identify potentially malicious ZIP archives containing unusual symbolic link patterns. After upgrading, confirm the fix by attempting to extract a known malicious archive (if available) and verifying that it no longer allows arbitrary file writes.
Update the `zip` library to version 2.3.0 or higher. This will fix the arbitrary file write vulnerability during ZIP archive extraction. Run `cargo update` to update your project's dependencies.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-29787 is a HIGH severity vulnerability in the zip crate that allows attackers to overwrite files during ZIP archive extraction due to improper symbolic link handling.
You are affected if you are using the zip crate before version 2.3.0 and process ZIP archives, especially those from untrusted sources.
Upgrade to version 2.3.0 or later of the zip crate. If upgrading isn't possible, implement robust path validation during extraction.
While no public exploits are currently available, the vulnerability's nature makes it a likely target for exploitation, given its similarity to other zip-slip vulnerabilities.
Refer to the zip crate's repository and related security advisories for the most up-to-date information: [https://github.com/zip-rs/zip2](https://github.com/zip-rs/zip2)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.