Platform
rust
Component
rustfs
Fixed in
1.0.1
1.0.0-alpha.79
CVE-2025-68705 represents a critical Path Traversal vulnerability discovered in rustfs. This flaw allows attackers to potentially read or write arbitrary files on the system, compromising data integrity and confidentiality. The vulnerability stems from inadequate path validation within the /rustfs/rpc/readfilestream endpoint and impacts versions of rustfs before 1.0.0-alpha.79. A fix has been released in version 1.0.0-alpha.79.
The core of this vulnerability lies in the lack of proper sanitization when handling file paths within the readfilestream endpoint. Specifically, the code constructs the file path by joining the volume directory with the user-supplied path without sufficient validation. This allows an attacker to craft a malicious path, such as ../../../../etc/passwd, to traverse outside the intended directory and access sensitive files. The potential impact is severe, ranging from reading configuration files containing credentials to writing malicious code to system files, potentially leading to complete system compromise. The vulnerability's estimated CVSS score of 9.9 highlights its critical nature, indicating a high likelihood of exploitation and significant potential damage.
While no public exploits have been reported as of the publication date, the vulnerability's ease of exploitation and potential impact make it a high-priority concern. The lack of robust path validation is a common pattern exploited in similar vulnerabilities, such as those affecting file storage services. The vulnerability was disclosed on 2026-01-07. Its severity warrants careful monitoring and proactive mitigation.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2025-68705 is to immediately upgrade to rustfs version 1.0.0-alpha.79 or later, which includes the necessary path validation fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing path traversal sequences (e.g., ../). Additionally, restrict access to the /rustfs/rpc/readfilestream endpoint to trusted clients only. Monitor system logs for suspicious file access attempts, particularly those involving unusual paths. After upgrading, confirm the fix by attempting to access files outside the intended directory via the /rustfs/rpc/readfilestream endpoint; legitimate requests should be denied.
Actualice RustFS a la versión 1.0.0-alpha.79 o superior. Esta versión contiene la corrección para la vulnerabilidad de path traversal. La actualización se puede realizar mediante el sistema de gestión de paquetes de Rust, Cargo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68705 is a Path Traversal vulnerability in rustfs, allowing attackers to potentially read or write arbitrary files due to insufficient path validation in the /rustfs/rpc/readfilestream endpoint.
You are affected if you are using a version of rustfs prior to 1.0.0-alpha.79. Assess your environment to determine if you are using a vulnerable version.
Upgrade to rustfs version 1.0.0-alpha.79 or later to address the path validation issue. Consider implementing WAF rules as a temporary mitigation.
While no active exploitation has been publicly confirmed, the vulnerability's ease of exploitation and potential impact make it a high-priority concern.
Refer to the rustfs project's official communication channels and security advisories for the latest information regarding CVE-2025-68705.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.