logo

Database

Lack of data validation - Path Traversal In github.com/openziti/zrok/v2

Description

zrok copy writes attacker-controlled WebDAV paths outside the destination root

Summary

Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root and creates the file outside Alice's selected directory.

Impact

Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-455762. NVD-2026-455763. OSV-2026-455764. GHSA-c656-jcx2-7pqj5. GCVE-2026-45576

References

1. https://github.com/openziti/zrok/security/advisories/GHSA-c656-jcx2-7pqj

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.