CVE-2025-11233

Name of the Vulnerable Software and Affected Versions Rust versions 1.87.0 through 1.88.9

Description The standard library’s Path API did not correctly handle path separators on the tier 3 Cygwin target (x86 64-pc-cygwin) in versions prior to 1.89.0. This caused the API to ignore path components separated by backslashes. Programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations. The issue was resolved in Rust 1.89.0 by correctly handling both Win32 and Unix style paths for the Cygwin target. The tier 3 Cygwin compilation target is only available when building from source and is not available through pre-built binaries or Rustup.

Recommendations Update to Rust version 1.89.0 or later.