Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Description requires an authenticated tenant with PutObject, so PR:L not PR:N; write-only cross-tenant impact gives I:H with C:N/A:N and S:C for the boundary crossing.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.
AnalysisAI
Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket write arbitrary objects into other tenants' buckets, fully breaking multi-tenant isolation. The flaw lives in the Snowball auto-extract feature and chains three weaknesses (unsanitized tar entry keys, IAM wildcard matching on raw paths, and filesystem path cleaning that resolves ../ across bucket boundaries). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated tenant account with at least PutObject permission on its own bucket, and the target RustFS instance must have the Snowball auto-extract (server-side tar unpacking) feature available and invokable by that tenant. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N, 8.6) and the prose description conflict on a key point: the vector encodes PR:N (unauthenticated), but the description explicitly requires an authenticated tenant holding PutObject permission - verify with the vendor, as a realistic assessment is PR:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged tenant who can only PutObject to their own bucket uploads a crafted tar archive through the Snowball auto-extract endpoint, embedding tar entry keys containing ../ sequences that point at a victim tenant's bucket path. The IAM check passes against the raw path while the filesystem resolves the traversal across the bucket boundary, planting attacker-controlled objects in the victim's bucket. … |
| Remediation | No vendor-released patched version is identified in the available data; consult the GitHub Security Advisory GHSA-f4vq-9ffr-m8m3 (https://github.com/rustfs/rustfs/security/advisories/GHSA-f4vq-9ffr-m8m3) for the fixed release and upgrade off 1.0.0-beta.4 once it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all RustFS 1.0.0-beta.4 deployments in production and audit recent Snowball archive extraction operations for unauthorized cross-tenant object writes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis
RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot
Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded
Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef
Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to
RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39865