Skip to main content

Ubuntu CVE-2025-11233

| EUVDEUVD-2025-33229 MEDIUM
Path Traversal (CWE-22)
2025-10-01 986d4109-89ea-491f-99fd-a8e4803919bd
Medium
Disputed · 6.3 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/RE:L/U:Green
Ubuntu
LOW
qualitative
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
6.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/RE:L/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 18:18 euvd
EUVD-2025-33229
Analysis Generated
Mar 13, 2026 - 18:18 vuln.today
CVE Published
Oct 01, 2025 - 17:15 nvd
MEDIUM 6.3

DescriptionCVE.org

Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (x86_64-pc-cygwin) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations.

Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target.

While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the x86_64-pc-cygwin target you are not affected by this vulnerability. Users of the tier 1 MinGW target (x86_64-pc-windows-gnu) are also explicitly not affected.

Analysis

Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (x86_64-pc-cygwin) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations.

Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target.

While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the x86_64-pc-cygwin target you are not affected by this vulnerability. Users of the tier 1 MinGW target (x86_64-pc-windows-gnu) are also explicitly not affected.

Technical ContextAI

Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'.

RemediationAI

Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.

CVE-2021-40444 HIGH POC
8.8 Sep 15

Windows MSHTML component contains a remote code execution vulnerability that allows attackers to craft malicious ActiveX

CVE-2021-1732 HIGH POC
7.8 Feb 25

Windows Win32k contains an out-of-bounds write vulnerability enabling local privilege escalation to SYSTEM, exploited by

CVE-2018-8174 HIGH POC
7.5 May 09

The Windows VBScript engine contains a remote code execution vulnerability in object handling that allows full system co

CVE-2019-0803 HIGH POC
7.8 Apr 09

Windows Win32k fails to properly handle objects in memory, allowing local privilege escalation exploited in the wild in

CVE-2020-1472 MEDIUM POC
5.5 Aug 17

A privilege escalation vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed), EPSS 94% exploitation pr

CVE-2024-30088 HIGH POC
7.0 Jun 11

Windows Kernel contains a TOCTOU race condition vulnerability allowing local privilege escalation, exploited by the OilR

CVE-2025-33053 HIGH POC
8.8 Jun 10

Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables

CVE-2025-33073 HIGH POC
8.8 Jun 10

Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker

CVE-2025-13315 CRITICAL POC
9.3 Nov 19

Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API b

CVE-2013-10047 CRITICAL POC
9.3 Aug 01

An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote

CVE-2012-10030 CRITICAL POC
9.3 Aug 05

FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbit

CVE-2025-34101 CRITICAL POC
9.3 Jul 10

Serviio Media Server versions 1.4 through 1.8 on Windows contain an unauthenticated command injection in the /rest/actio

Vendor StatusVendor

Ubuntu

Priority: Low
rustc
Release Status Version
plucky DNE -
bionic not-affected 1.87+ only
focal not-affected 1.87+ only
jammy not-affected 1.87+ only
noble not-affected 1.87+ only
trusty not-affected 1.87+ only
upstream not-affected 1.87+ only
xenial not-affected 1.87+ only
questing DNE -
rustc-1.62
Release Status Version
noble DNE -
plucky DNE -
jammy not-affected 1.87+ only
questing DNE -
upstream not-affected 1.87+ only
rustc-1.74
Release Status Version
jammy DNE -
plucky DNE -
questing DNE -
noble not-affected 1.87+ only
upstream not-affected 1.87+ only
rustc-1.76
Release Status Version
plucky DNE -
questing DNE -
focal not-affected 1.87+ only
jammy not-affected 1.87+ only
noble not-affected 1.87+ only
upstream not-affected 1.87+ only
rustc-1.77
Release Status Version
plucky DNE -
questing DNE -
focal not-affected 1.87+ only
jammy not-affected 1.87+ only
noble not-affected 1.87+ only
upstream not-affected 1.87+ only
rustc-1.78
Release Status Version
plucky DNE -
questing DNE -
focal not-affected 1.87+ only
jammy not-affected 1.87+ only
noble not-affected 1.87+ only
upstream not-affected 1.87+ only
rustc-1.79
Release Status Version
plucky DNE -
questing DNE -
focal not-affected 1.87+ only
jammy not-affected 1.87+ only
noble not-affected 1.87+ only
upstream not-affected 1.87+ only
rustc-1.80
Release Status Version
plucky DNE -
questing DNE -
focal not-affected 1.87+ only
jammy not-affected 1.87+ only
noble not-affected 1.87+ only
upstream not-affected 1.87+ only
rustc-1.88
Release Status Version
jammy DNE -
noble DNE -
plucky DNE -
upstream needs-triage -
questing needs-triage -
rustc-1.81
Release Status Version
jammy not-affected 1.87+ only
questing DNE -
noble not-affected 1.87+ only
plucky ignored end of life, was not-affected (1.87+ only)
upstream not-affected 1.87+ only
rustc-1.82
Release Status Version
jammy not-affected 1.87+ only
questing DNE -
noble not-affected 1.87+ only
plucky ignored end of life, was not-affected (1.87+ only)
upstream not-affected 1.87+ only
rustc-1.83
Release Status Version
questing DNE -
jammy not-affected 1.87+ only
noble not-affected 1.87+ only
plucky ignored end of life, was not-affected (1.87+ only)
upstream not-affected 1.87+ only
rustc-1.84
Release Status Version
questing DNE -
jammy not-affected 1.87+ only
noble not-affected 1.87+ only
plucky ignored end of life, was not-affected (1.87+ only)
upstream not-affected 1.87+ only
rustc-1.85
Release Status Version
questing not-affected 1.87+ only
jammy not-affected 1.87+ only
noble not-affected 1.87+ only
plucky ignored end of life, was not-affected (1.87+ only)
upstream not-affected 1.87+ only

Debian

rustc
Release Status Fixed Version Urgency
bullseye not-affected - -
bookworm not-affected - -
trixie not-affected - -
forky fixed 1.91.1+dfsg1-1 -
sid fixed 1.92.0+dfsg1-1 -
(unstable) fixed 1.89.0+dfsg1-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2025-11233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy