CVE-2025-68705

CRITICAL

RustFS <1.0.0-alpha.79 - Path Traversal

Title source: llm

Description

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal vulnerability in the /rustfs/rpc/read_file_stream endpoint. This issue has been patched in version 1.0.0-alpha.79.

Exploits (1)

nomisec WORKING POC 1 stars

by imjdl · poc

https://github.com/imjdl/CVE-2025-68705

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/rustfs/rustfs/commit/ab752458ce431c6397175d167beee2ea00507d3e

[Exploit, Vendor Advisory] https://github.com/rustfs/rustfs/security/advisories/GHSA-pq29-69jg-9mxc

Scores

CVSS v3 9.8

EPSS 0.0004

EPSS Percentile 13.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (2)

crates.io/rustfs 1.0.0-alpha.13 - 1.0.0-alpha.79crates.io

rustfs/rustfs 1.0.0 alpha13 (49 CPE variants)

Published Jan 07, 2026

Tracked Since Feb 18, 2026