CVE-2025-29787

Name of the Vulnerable Software and Affected Versions zip versions 1.3.0 through 2.3.0 zip version 2.3.0 fixes the issue, so the affected versions are prior to 2.3.0 Therefore, the affected versions are: zip versions 1.3.0 through 2.2.x

Description The archive extraction routine of the zip crate allows symbolic links earlier in the archive to be used for later files in the archive without validation of the final canonicalized path. This enables maliciously crafted archives to overwrite arbitrary files in the file system when extracted. Users who extract untrusted archive files using high-level API methods may be affected, and critical files on the system may be overwritten with arbitrary file permissions, potentially leading to code execution.

Recommendations For zip versions 1.3.0 through 2.2.x, update to version 2.3.0 to fix the issue. As a temporary workaround, consider avoiding the extraction of untrusted archive files using the zip::unstable::stream::ZipStreamReader::extract and zip::read::ZipArchive::extract methods until the issue is resolved. Restrict access to the extract method to minimize the risk of exploitation.