VDB
CVE-2025-29787
CVE-2025-29787
PUBLISHED
CVSS 7.300000190734863 HIGH
zip Incorrectly Canonicalizes Paths during Archive Extraction Leading to Arbitrary File Write
EPSS 0.33% · 55.9th percentile
Risk Scores
CVSS v4.0
7.300000190734863
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H
EPSS Score
0.33%
55.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| crates.io | zip | 1.3.0 |
| zip-rs | zip2 | * |
Timeline
- Mar 17, 2025 CVE Published
- Mar 17, 2025 PoC Published
- Mar 18, 2025 EPSS Score
- Mar 31, 2025 EPSS Score
- Apr 14, 2025 EPSS Score
- Apr 27, 2025 EPSS Score
- May 11, 2025 EPSS Score
- May 24, 2025 EPSS Score
- Jun 6, 2025 EPSS Score
- Jun 20, 2025 EPSS Score
- Jul 3, 2025 EPSS Score
- Jul 16, 2025 EPSS Score
References
- https://github.com/zip-rs/zip2/security/advisories/GHSA-94vh-gphv-8pm8 url
- https://github.com/zip-rs/zip2/commit/a2e062f37066c3b12860a32eb1cb44856cfb7afe url
- https://gist.github.com/eternal-flame-AD/bf71ef4f6828e741eb12ce7fd47b7b85 url
- https://github.com/zip-rs/zip2/releases/tag/v2.3.0 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-29787 advisory
- https://github.com/zip-rs/zip2 package