Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-11233

Good to know:

icon
icon

Date: October 1, 2025

Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target ("x86_64-pc-cygwin") didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations. Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target. While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the "x86_64-pc-cygwin" target you are not affected by this vulnerability. Users of the tier 1 MinGW target ("x86_64-pc-windows-gnu") are also explicitly not affected.

Severity Score

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2025-11233
https://github.com/rust-lang/rust/pull/141864
https://groups.google.com/g/rustlang-security-announcements/c/oT9zCvLLYkw
https://www.mend.io/vulnerability-database/CVE-2025-11233

Severity Score

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/rust-lang/rust.git - 1.89.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): LOW

Do you need more information?

Contact Us