CVE-2025-68705 Overview
CVE-2025-68705 is a path traversal vulnerability affecting RustFS, a distributed object storage system built in Rust. The vulnerability exists in versions 1.0.0-alpha.13 through 1.0.0-alpha.78 within the /rustfs/rpc/read_file_stream endpoint, allowing attackers to access files outside the intended directory structure through specially crafted path inputs.
Critical Impact
This path traversal vulnerability enables unauthorized file access through the RPC endpoint, potentially exposing sensitive configuration files, credentials, and other restricted data stored on affected RustFS instances.
Affected Products
- RustFS versions 1.0.0-alpha.13 through 1.0.0-alpha.78
- RustFS distributed object storage deployments using the /rustfs/rpc/read_file_stream endpoint
Discovery Timeline
- 2026-01-07 - CVE-2025-68705 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-68705
Vulnerability Analysis
This path traversal vulnerability (CWE-22) allows remote attackers to bypass intended directory restrictions and access arbitrary files on the server filesystem. The vulnerability is network-accessible without requiring authentication or user interaction, making it particularly dangerous for internet-exposed RustFS deployments.
The flaw resides in the /rustfs/rpc/read_file_stream endpoint, which fails to properly validate and sanitize file path inputs before processing file read requests. By injecting directory traversal sequences such as ../ into path parameters, an attacker can escape the designated storage directory and read arbitrary files accessible to the RustFS process.
Root Cause
The root cause is improper input validation in the file path handling logic within the disk store component. The application did not adequately validate that requested file paths remained within the intended storage boundaries, allowing traversal sequences to navigate to parent directories and access unauthorized files.
The security patch introduces explicit path validation with a new InvalidPath error type to properly reject malicious path inputs before file operations are executed.
Attack Vector
The attack exploits the network-accessible RPC endpoint by submitting malicious file path requests containing directory traversal sequences. An unauthenticated attacker can craft HTTP requests to the /rustfs/rpc/read_file_stream endpoint with path parameters like ../../../../etc/passwd to read sensitive system files or configuration data outside the intended storage location.
The security patch added proper path validation in the disk store module:
#[error("timeout")]
Timeout,
#[error("invalid path")]
InvalidPath,
}
impl DiskError {
Source: GitHub Commit Details
Detection Methods for CVE-2025-68705
Indicators of Compromise
- HTTP requests to /rustfs/rpc/read_file_stream containing ../ or URL-encoded traversal sequences (%2e%2e%2f)
- Unexpected file access patterns in RustFS logs showing paths outside normal storage directories
- Access attempts to sensitive system files such as /etc/passwd, /etc/shadow, or configuration files
Detection Strategies
- Monitor RustFS access logs for requests containing path traversal patterns in the read_file_stream endpoint
- Implement web application firewall (WAF) rules to detect and block directory traversal sequences in API requests
- Review file system audit logs for unexpected read operations by the RustFS process outside designated storage paths
- Deploy intrusion detection signatures targeting path traversal patterns in HTTP request URIs
Monitoring Recommendations
- Enable verbose logging for the /rustfs/rpc/read_file_stream endpoint to capture full request paths
- Configure alerting for any file access attempts outside the designated RustFS storage directories
- Monitor for unusual patterns of file read requests that could indicate reconnaissance or data exfiltration
How to Mitigate CVE-2025-68705
Immediate Actions Required
- Upgrade RustFS to version 1.0.0-alpha.79 or later immediately
- If immediate patching is not possible, restrict network access to the /rustfs/rpc/read_file_stream endpoint using firewall rules
- Review access logs for evidence of exploitation attempts targeting the vulnerable endpoint
- Run the RustFS process with minimal filesystem permissions to limit the impact of potential exploitation
Patch Information
The vulnerability has been addressed in RustFS version 1.0.0-alpha.79. The fix implements proper path validation in the disk store component, introducing an InvalidPath error type to reject malicious traversal sequences before file operations are performed. Organizations should review the GitHub Security Advisory and apply the security patch as soon as possible.
Workarounds
- Deploy a reverse proxy or WAF in front of RustFS instances to filter requests containing path traversal sequences
- Implement network segmentation to restrict access to the RPC endpoint from untrusted networks
- Use chroot or containerization to limit the filesystem scope accessible to the RustFS process
# Example: Restrict access to RustFS RPC endpoint using iptables
iptables -A INPUT -p tcp --dport 9000 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
