CVE-2025-11233
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2025-10-02

Assigner: rust

Description
Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations. Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target. While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin` target you are not affected by this vulnerability. Users of the tier 1 MinGW target (`x86_64-pc-windows-gnu`) are also explicitly not affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2025-10-02
Generated
2026-06-16
AI Q&A
2025-10-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11233
EUVD
EUVD-2025-33229
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rust rust *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Rust versions from 1.87.0 up to but not including 1.89.0 when targeting the tier 3 Cygwin platform (x86_64-pc-cygwin). The issue is that the Rust standard library's Path API did not correctly handle path separators, causing it to ignore path components separated by backslashes. This flaw can cause programs compiled for Cygwin that validate paths to misbehave, potentially allowing path traversal attacks or malicious filesystem operations. The problem is fixed in Rust 1.89.0 by properly handling both Windows and Unix style paths for the Cygwin target.

Impact Analysis

If you manually compiled Rust for the tier 3 Cygwin target (x86_64-pc-cygwin) between versions 1.87.0 and before 1.89.0, this vulnerability could allow attackers to exploit path validation flaws in your programs. This could lead to path traversal attacks or unauthorized malicious filesystem operations. However, if you use pre-built Rust binaries or other targets like the tier 1 MinGW target, you are not affected.

Mitigation Strategies

If you have manually compiled the Rust tier 3 Cygwin target (x86_64-pc-cygwin) between versions 1.87.0 and before 1.89.0, update to Rust 1.89.0 or later to fix the path separator handling issue. If you have not manually compiled this target, you are not affected. Avoid using the vulnerable Rust versions for the Cygwin target and verify your builds to ensure they do not use the affected Rust versions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11233. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart