Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms intended to protect the current directory. While the utility correctly refuses to delete . or .., it fails to recognize equivalent paths with trailing slashes, such as ./ or .///. An accidental or malicious execution of rm -rf ./ results in the silent recursive deletion of all contents within the current directory. The command further obscures the data loss by reporting a misleading 'Invalid input' error, which may cause users to miss the critical window for data recovery.
AnalysisAI
The rm utility in uutils coreutils fails to properly validate current directory paths with trailing slashes (./ or .///), allowing local users with write access to silently delete all contents of the current directory via rm -rf ./ while the utility reports a misleading 'Invalid input' error. CVSS score 5.6 reflects local attack vector and required user interaction, though the impact is severe data loss with potential recovery complications.
Technical ContextAI
The vulnerability stems from insufficient path normalization in the rm utility's safeguard mechanism (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The utility correctly blocks deletion of the literal paths '.' and '..' but fails to recognize semantically equivalent paths with trailing slashes such as './' or './//', which resolve to the current directory after path canonicalization. This represents a classic path traversal validation bypass where the input sanitization logic does not account for all syntactic variations of the same logical path. The affected product is the Rust-based reimplementation of GNU coreutils (uutils), which aims for compatibility with POSIX-standard utilities but contains this regression in directory protection logic.
RemediationAI
Upgrade to a patched version of uutils coreutils that correctly normalizes and validates paths with trailing slashes to prevent rm from accepting './', './//', or other equivalent forms of the current directory. Consult the GitHub issue at https://github.com/uutils/coreutils/issues/9749 for patch availability and exact version. As a temporary compensating control, restrict rm usage in critical environments via AppArmor, SELinux, or sudo restrictions to trusted users only, or mandate code review for any rm -rf commands in scripts. However, these controls do not prevent accidental misuse by authorized developers. Additionally, implement file system snapshots or atomic backups in critical directories (particularly project roots and home directories) to reduce recovery time window if silent deletion occurs. Organizations should also audit any CI/CD pipelines or deployment scripts that invoke rm with wildcards or directory arguments, as this vulnerability increases risk in automation contexts.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly ex
Privilege escalation to root in uutils coreutils chroot utility allows low-privileged local attackers with write access
Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing l
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary f
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file pe
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root fi
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across file
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during fil
The split utility in uutils coreutils contains a time-of-check to time-of-use (TOCTOU) race condition that allows local
A time-of-check to time-of-use (TOCTOU) race condition in the mv utility of uutils coreutils during cross-device move op
The touch utility in uutils coreutils suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition that allows lo
Privilege escalation via symlink attack in uutils coreutils install utility when using the -D flag allows local attacker
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25008
GHSA-89p7-7cq3-hhr2