CVE-2026-45576

zrok copy writes attacker-controlled WebDAV paths outside the destination root

發布日:2026/5/19修改日:2026/5/19

描述

## Summary Alice runs `zrok2 copy` from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV `href` such as `/../outside.txt`. The sync pipeline stores that path in the source inventory and passes it to `FilesystemTarget.WriteStream`, which joins it with the target root and creates the file outside Alice's selected directory. ### Impact Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.

受影響套件(2)

Go/github.com/openziti/zrok>= 0.4.23, <= 1.1.11
Go/github.com/openziti/zrok/v2from 0, < 2.0.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

參考連結(2)

PATCHhttps://github.com/openziti/zrok
WEBhttps://github.com/openziti/zrok/security/advisories/GHSA-c656-jcx2-7pqj