UBUNTU-CVE-2025-11233

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-11233

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-11233.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-11233

Upstream

CVE-2025-11233

Published

2025-10-01T17:15:00Z

Modified

2026-04-22T15:29:47.624196Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/RE:L/U:Green CVSS Calculator
Ubuntu - low

Summary

[none]

Details

Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (x86_64-pc-cygwin) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations. Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target. While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the x86_64-pc-cygwin target you are not affected by this vulnerability. Users of the tier 1 MinGW target (x86_64-pc-windows-gnu) are also explicitly not affected.

References

Affected packages

Ubuntu:25.10 / rustc-1.88

Package

Name: rustc-1.88
Purl: pkg:deb/ubuntu/rustc-1.88@1.88.0+dfsg0ubuntu1-0ubuntu2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.88.0+dfsg0ubuntu1-0ubuntu1

1.88.0+dfsg0ubuntu1-0ubuntu2

Ecosystem specific

{
    "priority_reason": "Only affects cygwin target",
    "binaries": [
        {
            "binary_name": "cargo-1.88",
            "binary_version": "1.88.0+dfsg0ubuntu1-0ubuntu2"
        },
        {
            "binary_name": "libstd-rust-1.88",
            "binary_version": "1.88.0+dfsg0ubuntu1-0ubuntu2"
        },
        {
            "binary_name": "rust-1.88-all",
            "binary_version": "1.88.0+dfsg0ubuntu1-0ubuntu2"
        },
        {
            "binary_name": "rust-1.88-clippy",
            "binary_version": "1.88.0+dfsg0ubuntu1-0ubuntu2"
        },
        {
            "binary_name": "rust-1.88-gdb",
            "binary_version": "1.88.0+dfsg0ubuntu1-0ubuntu2"
        },
        {
            "binary_name": "rust-1.88-lldb",
            "binary_version": "1.88.0+dfsg0ubuntu1-0ubuntu2"
        },
        {
            "binary_name": "rust-1.88-src",
            "binary_version": "1.88.0+dfsg0ubuntu1-0ubuntu2"
        },
        {
            "binary_name": "rustc-1.88",
            "binary_version": "1.88.0+dfsg0ubuntu1-0ubuntu2"
        },
        {
            "binary_name": "rustfmt-1.88",
            "binary_version": "1.88.0+dfsg0ubuntu1-0ubuntu2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-11233.json"