Listen to this Post
The vulnerability resides in zrok’s WebDAV drive backend, specifically in the `davServer.Dir` implementation. While the backend correctly sanitizes path traversal sequences like `../` using lexical normalization, it fails to restrict the server from following symbolic links.
If a symbolic link already exists within the shared directory (the DriveRoot) and points to a location outside that root, an attacker can leverage it to break out of the intended sandbox.
An attacker can interact with the public WebDAV endpoint and issue crafted HTTP requests (e.g., GET, PUT, DELETE) using the path of the existing symlink. The server follows the symlink, performing the requested operation on the target file in the broader host filesystem.
The `PUT` handler is particularly dangerous, as it opens files with the `O_RDWR|O_CREATE|O_TRUNC` flags. This allows an attacker to write or overwrite any file that the `zrok` process has permission to access, such as overwriting an SSH authorized keys file for code execution.
Exploitation requires a high attack complexity, as the necessary symlink must be placed locally before the share is created. However, once this precondition is met, the attack can be performed remotely with no authentication and requires no user interaction.
The security boundary is successfully escaped, giving the attacker access to the host filesystem. This can lead to a total compromise of confidentiality and integrity for the host running the zrok process.
This issue was fixed in version 2.0.2 by implementing checks to prevent symlink resolution that escapes the DriveRoot.
dailycve form:
Platform: zrok
Version: <1.1.11, <2.0.2
Vulnerability: Path Traversal
Severity: High
date: 2026-04-25
Prediction: 2026-04-25
What Undercode Say:
Check if a zrok share is vulnerable zrok share public --backend-mode drive --headless Simulate accessing a file via a symlink curl -X GET "https://<your-share-url>/symlink_to_external_file" Check the zrok process user context ps aux | grep zrok
Exploit:
- Precondition: A symlink (e.g.,
ln -s /etc/passwd /path/to/driveroot/passwd) exists inside the sharedDriveRoot. - Discover: Scan the WebDAV share to identify the symlink using commands like
PROPFIND. - Read: Issue a `GET` request to the symlink path (
/passwd) to retrieve the target file. - Write/Overwrite: Issue a `PUT` request to the symlink path to write data to the target file.
Protection from this CVE:
- Update: Immediately upgrade to `zrok` version 2.0.2 or later.
- Scan: Review shared directories for any existing symlinks pointing outside the intended share root.
- Enforce Least Privilege: Run the `zrok` process with a dedicated, low-privileged OS user to minimize the impact of a successful write/overwrite.
Impact:
- Confidentiality: Arbitrary files readable by the `zrok` process can be stolen.
- Integrity: Files accessible to the `zrok` process can be modified or overwritten, potentially allowing for remote code execution (e.g., overwriting
~/.ssh/authorized_keys). - Availability: No direct availability impact. The service itself remains operational.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

