A time-of-check/time-of-use (TOCTOU) race condition allows walkdir to traverse a symlink even with follow_links disabled, the default behavior.
When a privileged process uses walkdir on directories writable by an untrusted user, an attacker can exploit this race to redirect traversal into unintended filesystem locations. This violates the documented guarantee that walkdir does not follow symlinks unless explicitly enabled.
Technical Details
walkdir verifies an entry’s type in handle_entry() and later opens it in push() using fs::read_dir(). These are separate filesystem operations. If an attacker replaces the checked directory with a symlink between those calls, walkdir will descend into the symlink despite follow_links(false).
Impact
This behavior breaks a core safety property relied on by callers using walkdir to traverse untrusted paths. In higher-privilege contexts, it can result in traversal outside the intended directory tree. Depending on how the application uses the enumerated paths, this can enable unauthorized data access, modification, or other security violations.
Fix
A complete fix is non-trivial and likely requires internal refactoring.
Status: CVE requested; ID pending. This public Github issue is filed following the maintainer’s guidance.
Researched by Mav Levin @ DepthFirst
A time-of-check/time-of-use (TOCTOU) race condition allows walkdir to traverse a symlink even with
follow_linksdisabled, the default behavior.When a privileged process uses walkdir on directories writable by an untrusted user, an attacker can exploit this race to redirect traversal into unintended filesystem locations. This violates the documented guarantee that walkdir does not follow symlinks unless explicitly enabled.
Technical Details
walkdir verifies an entry’s type in
handle_entry()and later opens it inpush()usingfs::read_dir(). These are separate filesystem operations. If an attacker replaces the checked directory with a symlink between those calls, walkdir will descend into the symlink despitefollow_links(false).Impact
This behavior breaks a core safety property relied on by callers using walkdir to traverse untrusted paths. In higher-privilege contexts, it can result in traversal outside the intended directory tree. Depending on how the application uses the enumerated paths, this can enable unauthorized data access, modification, or other security violations.
Fix
A complete fix is non-trivial and likely requires internal refactoring.
Status: CVE requested; ID pending. This public Github issue is filed following the maintainer’s guidance.
Researched by Mav Levin @ DepthFirst