GHSA-74M3-9QVM-RP9H: Arbitrary Host Filesystem Access via Symlink Following in zrok WebDAV
Vulnerability ID: GHSA-74M3-9QVM-RP9H
CVSS Score: 8.8
Published: 2026-04-25
A critical vulnerability in the WebDAV drive backend of openziti/zrok allows unauthenticated or authenticated users to escape the designated shared directory. By creating or interacting with symbolic links, an attacker can achieve arbitrary file read and write access on the host system running the zrok process.
TL;DR
zrok versions prior to 2.0.1 fail to validate the targets of symbolic links in the WebDAV drive backend. This improper link resolution enables attackers to read or modify arbitrary files on the host filesystem, matching the privileges of the zrok process.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-59, CWE-61
- Attack Vector: Network
- CVSS v3.1 Score: 8.8 (High)
- Exploit Status: Proof of Concept
- Confidentiality Impact: High
- Integrity Impact: High
Affected Systems
- openziti/zrok WebDAV drive backend
-
openziti/zrok: < 2.0.1 (Fixed in:
2.0.1)
Mitigation Strategies
- Upgrade openziti/zrok to a patched version
- Disable WebDAV backend functionality if unneeded
- Restrict zrok process execution permissions (Principle of Least Privilege)
- Enforce read-only permissions on untrusted WebDAV shares
Remediation Steps:
- Identify all deployments utilizing the openziti/zrok package.
- Verify the current version of the zrok binary in production environments.
- Update the project dependencies to pull openziti/zrok v2.0.1 or higher.
- Recompile the application and deploy the updated binaries.
- Audit existing WebDAV shared directories for unauthorized symbolic links.
References
- GitHub Advisory: GHSA-74m3-9qvm-rp9h
- openziti/zrok Releases
- openziti/zrok CHANGELOG.md
- SOOS Vulnerability Database - GHSA-74m3-9qvm-rp9h
Read the full report for GHSA-74M3-9QVM-RP9H on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)