CVE-2025-29787: 
Rust vulnerability analysis and mitigation

CVE-2025-29787 affects the zip crate, a Rust library for reading and writing ZIP files. The vulnerability was discovered in versions 1.3.0 through 2.2.0 and was disclosed on March 17, 2025. The issue involves improper path canonicalization during archive extraction, which could allow maliciously crafted archives to overwrite arbitrary files on the system (GitHub Advisory).

The vulnerability is a variant of the zip-slip vulnerability where symbolic links earlier in the archive can be used for later files without proper validation of the final canonicalized path. The issue has been assigned a CVSS v4.0 score of 7.3 (High) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H. The vulnerability is categorized under multiple CWE categories including CWE-22 (Path Traversal), CWE-61 (UNIX Symbolic Link Following), and CWE-180 (Incorrect Behavior Order) (GitHub Advisory).

When exploited, this vulnerability can lead to arbitrary file overwrites in the file system with arbitrary file permissions. This could potentially result in remote code execution, system compromise, unauthorized file modifications, or denial of service attacks. The ability to overwrite files with arbitrary permissions further exacerbates the impact by potentially allowing attackers to bypass security restrictions and escalate privileges (SecMaster Blog).

The vulnerability has been fixed in version 2.3.0 of the zip crate. Users should update to this version or later to mitigate the issue. The fix involves proper validation of symlink targets and ensuring they remain within the destination directory. As additional security measures, it's recommended to implement additional validation of file paths before extraction and follow the principle of least privilege when extracting archives (GitHub Release).