Skip to content

Path boundary checks bypass via symlink, TOCTOU, and hardlink

High
qhkm published GHSA-2m67-cxxq-c3h8 Mar 11, 2026

Package

cargo zeptoclaw (Rust)

Affected versions

<= 0.7.5

Patched versions

0.7.6

Description

Summary

Workspace boundary enforcement currently has three related bypass risks. This issue tracks fixing all three in one pull request.

Details

R1 - Dangling Symlink Component Bypass

  • What happens: Path validation can miss dangling symlink components during traversal checks.
  • Why it matters: A symlink that is unresolved at validation time can later resolve to an external location.
  • Impact: Read and write operations may escape workspace boundaries.
  • Affected area: src/security/path.rs (check_symlink_escape).

R2 - TOCTOU Between Validation and Use

  • What happens: The path is validated first, then used later for filesystem operations.
  • Why it matters: A concurrent filesystem change can swap path components after validation but before open/write.
  • Impact: Race-based workspace escape is possible.
  • Affected area: Filesystem and file-consuming tools that call validate_path_in_workspace before I/O.

R3 - Hardlink Alias Bypass

  • What happens: A file inside workspace can be a hardlink to an inode outside the intended workspace trust boundary.
  • Why it matters: Prefix and symlink checks can pass while data access still mutates or reads external content.
  • Impact: Policy bypass for read/write operations.
  • Affected area: Any tool that reads or writes via validated paths.

Risk Matrix

ID Risk Severity Likelihood Impact
R1 Dangling symlink component bypass High Medium Workspace boundary escape for read/write
R2 Validate/use TOCTOU race High Medium Race-based boundary escape during file I/O
R3 Hardlink alias bypass Medium Low-Medium External inode read/write through in-workspace path

PoC

R1 - Dangling symlink component bypass

  1. Create a symlink inside workspace pointing to a missing target.
  2. Validate a path traversing that symlink.
  3. Create the target directory outside workspace after validation.
  4. Perform file operation and observe potential boundary escape if not fail-closed.

R2 - TOCTOU between validation and use

  1. Validate a candidate in-workspace path.
  2. Before open/write, replace an intermediate component with a link to external location.
  3. Continue with the file operation.
  4. Observe boundary escape if operation trusts only stale validation result.

R3 - Hardlink alias bypass

  1. Place a hardlink inside workspace that points to an external inode.
  2. Validate the in-workspace hardlink path.
  3. Read or write through this path.
  4. Observe external inode access through a path that appears in-scope.

Impacts

Unauthorized cross path boundary

Credit

@zpbrent

Patch

f50c17e11ae3e2d40c96730abac41974ef2ee2a8

Severity

High

CVE ID

CVE-2026-32232

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

UNIX Hard Link

The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. Learn more on MITRE.

Credits