Skip to content

Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all

Low severity GitHub Reviewed Published Feb 24, 2023 in XAMPPRocky/remove_dir_all • Updated Mar 6, 2023

Package

cargo remove_dir_all (Rust)

Affected versions

< 0.8.0

Patched versions

0.8.0

Description

The remove_dir_all crate is a Rust library that offers additional features over the Rust standard library fs::remove_dir_all function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.

Thanks to the Rust security team for identifying the problem and alerting us to it.

References

@XAMPPRocky XAMPPRocky published to XAMPPRocky/remove_dir_all Feb 24, 2023
Published to the GitHub Advisory Database Feb 24, 2023
Reviewed Feb 24, 2023
Last updated Mar 6, 2023

Severity

Low

EPSS score

CVE ID

No known CVE

GHSA ID

GHSA-mc8h-8q98-g5hr
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.