Path Traversal in Zip-rs Zip2

CVE-2025-29787

`zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction routine of affected versions of the `zip` crate starting with version 1.3.0 and prior to version 2.3.0, symbolic links earlie…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.003 (55.9th percentile) — read the EPSS interpretation.

Affected products

Zip-rs Zip2 — versions >= 1.3.0, < 2.3.0

Weakness classification (CWE)

References

https://github.com/zip-rs/zip2/security/advisories/GHSA-94vh-gphv-8pm8 (x_refsource_CONFIRM)
https://github.com/zip-rs/zip2/commit/a2e062f37066c3b12860a32eb1cb44856cfb7afe (x_refsource_MISC)
https://gist.github.com/eternal-flame-AD/bf71ef4f6828e741eb12ce7fd47b7b85 (x_refsource_MISC)
https://github.com/zip-rs/zip2/releases/tag/v2.3.0 (x_refsource_MISC)