zrok (WebDAV drive backend), Path Traversal via Symlink Following, GHSA-74m3-9qvm-rp9h (High)

Listen to this Post

The vulnerability resides in zrok’s WebDAV drive backend, specifically in the `davServer.Dir` implementation. While the backend correctly sanitizes path traversal sequences like `../` using lexical normalization, it fails to restrict the server from following symbolic links.
If a symbolic link already exists within the shared directory (the DriveRoot) and points to a location outside that root, an attacker can leverage it to break out of the intended sandbox.
An attacker can interact with the public WebDAV endpoint and issue crafted HTTP requests (e.g., GET, PUT, DELETE) using the path of the existing symlink. The server follows the symlink, performing the requested operation on the target file in the broader host filesystem.
The `PUT` handler is particularly dangerous, as it opens files with the `O_RDWR|O_CREATE|O_TRUNC` flags. This allows an attacker to write or overwrite any file that the `zrok` process has permission to access, such as overwriting an SSH authorized keys file for code execution.
Exploitation requires a high attack complexity, as the necessary symlink must be placed locally before the share is created. However, once this precondition is met, the attack can be performed remotely with no authentication and requires no user interaction.
The security boundary is successfully escaped, giving the attacker access to the host filesystem. This can lead to a total compromise of confidentiality and integrity for the host running the zrok process.
This issue was fixed in version 2.0.2 by implementing checks to prevent symlink resolution that escapes the DriveRoot.

dailycve form:

Platform: zrok
Version: <1.1.11, <2.0.2
Vulnerability: Path Traversal
Severity: High
date: 2026-04-25

Prediction: 2026-04-25

What Undercode Say:

Check if a zrok share is vulnerable
zrok share public --backend-mode drive --headless
Simulate accessing a file via a symlink
curl -X GET "https://<your-share-url>/symlink_to_external_file"
Check the zrok process user context
ps aux | grep zrok

Exploit:

  1. Precondition: A symlink (e.g., ln -s /etc/passwd /path/to/driveroot/passwd) exists inside the shared DriveRoot.
  2. Discover: Scan the WebDAV share to identify the symlink using commands like PROPFIND.
  3. Read: Issue a `GET` request to the symlink path (/passwd) to retrieve the target file.
  4. Write/Overwrite: Issue a `PUT` request to the symlink path to write data to the target file.

Protection from this CVE:

  • Update: Immediately upgrade to `zrok` version 2.0.2 or later.
  • Scan: Review shared directories for any existing symlinks pointing outside the intended share root.
  • Enforce Least Privilege: Run the `zrok` process with a dedicated, low-privileged OS user to minimize the impact of a successful write/overwrite.

Impact:

  • Confidentiality: Arbitrary files readable by the `zrok` process can be stolen.
  • Integrity: Files accessible to the `zrok` process can be modified or overwritten, potentially allowing for remote code execution (e.g., overwriting ~/.ssh/authorized_keys).
  • Availability: No direct availability impact. The service itself remains operational.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top