CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-FQF6-GXHH-2XHW

GHSA-FQF6-GXHH-2XHW: Silent Data Loss and Behavioral Mismatch in uutils coreutils Backup Logic

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 7, 2026·7 min read·4 visits

Executive Summary (TL;DR)

The Rust-based uutils coreutils implementation fails to trigger backup mode when only the --suffix parameter is specified, causing utilities like cp, mv, and ln to silently delete and overwrite existing target files without producing the expected safety backup.

A behavioral mismatch vulnerability (CWE-701) in the Rust-based uutils coreutils implementation of common command-line utilities allows silent data loss. When the --suffix argument is executed without explicit backup flags, the uucore library fails to enter backup mode, silently overwriting target files instead of creating preserving copies as expected under GNU standards.

Vulnerability Overview

The uutils coreutils project is a modern Rust re-implementation of the classic GNU coreutils software suite. It is designed to act as a secure, fast, and drop-in alternative for POSIX/GNU utility binaries across diverse server, desktop, and embedded platforms. A critical component of this ecosystem is the shared library crate known as uucore, which houses unified command-line argument processing, file system logic, and compatibility layers for tools including cp, mv, ln, and install.

Within GNU coreutils, specifying the -S or --suffix option implicitly informs the utility that a backup operation must be performed, defaulting the backup methodology to the 'existing' scheme if no other type is specified. This design ensures that target files are systematically preserved under a modified suffix name during replacement, relocation, or linkage events. In uutils coreutils, however, a critical mismatch exists because the presence of the --suffix flag alone is ignored by the backup control parser, defaulting the execution state to no-backup.

This behavior maps directly to CWE-701: Behavioral Mismatch, where a software application's internal implementation diverges from its documented reference design in a manner that compromises system expectations. By failing to align with standard GNU behavior, the toolkit introduces unexpected system actions. Users executing scripts containing custom suffix declarations will find their target files truncated or replaced without any preserving copies created.

Root Cause Analysis

The root cause of this flaw lies in the parser design found in the module src/uucore/src/lib/features/backup_control.rs. The function determine_backup_mode is tasked with evaluating arguments parsed by the clap crate and mapping them to a safe-state state-machine representation known as BackupMode. This enum can take values such as None, Simple, Numbered, or Existing.

Prior to the patch, determine_backup_mode only queried whether the explicit backup arguments were set in the clap match structure. The logic examined matches.contains_id(arguments::OPT_BACKUP) and matches.get_flag(arguments::OPT_BACKUP_NO_ARG). Because the parser lacked any matching check for the suffix identifier arguments::OPT_SUFFIX, any CLI call passing only --suffix would trigger the catch-all else block, returning BackupMode::None.

Subsequently, during the file-writing phase, the system queries get_backup_path to locate the target path where the existing file should be safely renamed. When this function receives BackupMode::None, it immediately returns None, skipping all backup copy mechanisms. The binary then proceeds with the destructive path creation step, truncating and overwriting the pre-existing target file in place. This design failure exemplifies CWE-459: Incomplete Cleanup / State Handling, as the application fails to initialize the target preservation states.

Code Analysis

To understand the implementation flaw, examine the vulnerable implementation of the argument parsing state-machine in uucore:

pub fn determine_backup_mode(matches: &ArgMatches) -> UResult<BackupMode> {
    if matches.contains_id(arguments::OPT_BACKUP) {
        // Code evaluates explicitly set backup parameters
        // ...
    } else if matches.get_flag(arguments::OPT_BACKUP_NO_ARG) {
        // ...
    } else {
        // No backup option was parsed, fallback directly to None
        Ok(BackupMode::None)
    }
}

When BackupMode::None is propagated to the file management layer, the backup target path generator resolves the path to None and aborts safety initialization:

pub fn get_backup_path(
    backup_mode: BackupMode,
    backup_path: &Path,
    suffix: &str,
) -> Option<PathBuf> {
    match backup_mode {
        BackupMode::None => None, // Safely returns None, bypasses backup file generation
        BackupMode::Simple => Some(simple_backup_path(backup_path, suffix)),
        BackupMode::Numbered => Some(numbered_backup_path(backup_path)),
        BackupMode::Existing => Some(existing_backup_path(backup_path, suffix)),
    }
}

The patch resolved this by inserting an additional conditional arm before falling back to None. This arm queries whether OPT_SUFFIX is present, evaluating environmental overrides before establishing a default backup scheme:

    } else if matches.contains_id(arguments::OPT_SUFFIX) {
        // Suffix option triggers backup mode even when --backup is omitted.
        // Default behavior falls back to "existing" unless overridden via VERSION_CONTROL env.
        if let Ok(method) = env::var("VERSION_CONTROL") {
            match_method(&method, "$VERSION_CONTROL")
        } else {
            Ok(BackupMode::Existing)
        }
    } else {
        Ok(BackupMode::None)
    }

This remediation successfully bridges the compatibility gap, aligning the logic paths with standard POSIX patterns.

Exploitation & Proof-of-Concept

An attacker with the ability to inject files or manipulate target destinations in system automation frameworks can weaponize this behavioral mismatch. Because standard scripts rely on --suffix for safety wrappers, executing these scripts under uutils coreutils leads to silent state corruption. No privilege escalation occurs directly, but target data is irrecoverably destroyed.

To demonstrate this behavior in a shell environment, initialize a target file containing dummy configuration data and run the vulnerable copy tool:

# 1. Initialize destination file with sensitive contents
echo "important_original_data" > /tmp/test_dest
 
# 2. Attempt a copy using uutils cp with suffix only
coreutils cp --suffix=.bak /etc/hostname /tmp/test_dest
 
# 3. Analyze the directory
ls -la /tmp/test_dest*

On a vulnerable deployment, only /tmp/test_dest is present, containing the contents of /etc/hostname. The safety file /tmp/test_dest.bak was never created, resulting in the permanent destruction of important_original_data without warning. The process exits with code 0, masking the loss from automated monitors.

A similar vector targets link replacement pipelines where symbolic links are forced over production settings:

# Initialize production reference
echo "critical_target_file" > /tmp/test_ln_dest
echo "some_source" > /tmp/test_ln_src
 
# Force link replacement with suffix
coreutils ln -f --suffix=.bak /tmp/test_ln_src /tmp/test_ln_dest

The target file /tmp/test_ln_dest is overwritten with the symbolic link, and no safety backup file /tmp/test_ln_dest.bak is generated, permanently deleting the file system's original configuration pointer.

Impact Assessment

The security impact of GHSA-FQF6-GXHH-2XHW is categorized primarily as high integrity destruction and resource loss. Standard deployments utilizing Rust-native environments under the assumption of drop-in compatibility are subject to sudden configuration corruption. This vulnerability holds a CVSS v3.1 score of 6.6 with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H.

The high rating on Integrity and Availability stems from the permanent nature of the data deletion. In automated scenarios like continuous integration pipelines, database rotation setups, or script-driven configuration loaders, failures do not cause command errors. Because the core utilities exit with zero status, orchestration platforms like Kubernetes or Ansible assume a successful safe rotation, leaving deployments functionally crippled but seemingly healthy.

In target environments, an attacker who can trigger administrative cleanup scripts can strategically manipulate destination files. Because the safety copy is bypassed, critical runtime variables, security policies, or operational databases can be permanently modified. This provides a direct path for denial-of-service, diagnostic logging erasure, and system disruption campaigns.

Remediation & Mitigation

To address this vulnerability, system administrators and developers must upgrade uutils coreutils to a release containing Pull Request #9741 or compile the suite from upstream sources updated after December 20, 2025. Software distributions packing uutils should patch their respective package definitions immediately to prevent silent failure states.

For systems where immediate upgrades of the binary suite are impossible due to technical debt, change management constraints, or air-gapped target environments, administrators must deploy script-level workarounds. This involves altering all instances of target commands within shell pipelines to explicitly pass the backup flag in conjunction with the suffix parameter:

# Vulnerable configuration pattern
mv --suffix=.bak source target
 
# Secure configuration pattern (workaround)
mv --backup --suffix=.bak source target

Additionally, validation checks must be added to verify file existence and backup state presence inside cron tasks. Security teams should scan orchestration scripts to locate any raw dependencies on suffix-based preservation patterns, ensuring that the necessary logic flags are present to bypass the flawed code paths.

Official Patches

uutilsFix backup option handling: Suffix option is enough to determine mode even if --backup is not set
uutilsRaw diff patch resolving the backup determination branch missing OPT_SUFFIX check

Fix Analysis (1)

Technical Appendix

CVSS Score
6.6/ 10
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Affected Systems

uutils coreutils (specifically the uucore shared library module)

Affected Versions Detail

Product
Affected Versions
Fixed Version
uutils coreutils
uutils
<= 0.0.280.0.29 / PR 9741
AttributeDetail
CWE IDCWE-701: Behavioral Mismatch / CWE-459: Incomplete Cleanup
Attack VectorLocal (L)
CVSS v3.1 Score6.6 (Medium)
EPSS ScoreNot Applicable (No registered CVE)
ImpactHigh Integrity Destruction and File Resource Deletion
Exploit StatusProof of Concept (PoC) available and verified
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1485Data Destruction
Impact
T1565Data Manipulation
Impact
CWE-701
Behavioral Mismatch

The product's behavior deviates significantly from its expected specification or equivalent system, resulting in unexpected outcomes.

Known Exploits & Detection

GitHub IssuePublic issue demonstrating reproducible silent data loss steps for cp, mv, and ln commands.

Vulnerability Timeline

Vulnerability identified and reported in uutils coreutils GitHub repository.
2025-12-18
Pull Request #9741 submitted and merged to patch the uucore library code.
2025-12-20
GitHub Advisory GHSA-FQF6-GXHH-2XHW published tracking the behavioral mismatch.
2025-12-20

References & Sources

  • [1]GitHub Security Advisory GHSA-FQF6-GXHH-2XHW
  • [2]GitHub Issue: cp/install/mv/ln --suffix alone does not enable backup mode
  • [3]GitHub Pull Request: fix: Suffix option is enough to determine backup mode

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•23 minutes ago•GHSA-J8V8-G9CX-5QF4
8.8

GHSA-J8V8-G9CX-5QF4: Missing Authorization and Access Control Flaw in @better-auth/scim

An authorization bypass vulnerability in the @better-auth/scim plugin allows authenticated attackers to hijack personal SCIM providers and subsequently perform full account takeovers.

Alon Barad
Alon Barad
2 views•6 min read
•about 2 hours ago•CVE-2025-46571
5.4

CVE-2025-46571: Stored Cross-Site Scripting (XSS) in Open WebUI

Open WebUI versions prior to 0.6.6 contain a stored cross-site scripting (XSS) vulnerability that allows low-privileged users to upload malicious HTML files containing arbitrary JavaScript. When viewed by an administrator, the executed script can abuse administrative APIs to register malicious functions, leading to remote code execution on the underlying server host.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 3 hours ago•CVE-2025-46719
7.4

CVE-2025-46719: Stored XSS and Administrative RCE in Open WebUI

A critical Stored Cross-Site Scripting (XSS) vulnerability exists in Open WebUI versions prior to 0.6.6. The vulnerability resides in client-side Markdown rendering, where unvalidated iframe tags containing local API base URLs bypass DOMPurify sanitization. This flaw allows authenticated attackers to steal user session tokens. If an administrative session is compromised, the attacker can leverage the application's native Python execution capabilities ('Functions') to achieve arbitrary Remote Code Execution (RCE) on the hosting server.

Alon Barad
Alon Barad
4 views•6 min read
•about 3 hours ago•CVE-2026-26192
7.3

CVE-2026-26192: Stored Cross-Site Scripting via Insecure Iframe Sandbox in Open WebUI

CVE-2026-26192 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability in Open WebUI prior to version 0.7.0. Authenticated users can modify chat history metadata to force document citations to render inside an HTML iframe configured with an insecure sandbox policy. By combining 'allow-scripts' and 'allow-same-origin', the sandbox boundary is neutralized. This allows scripts executing within the iframe to access the parent window's DOM, extract sensitive Web UI local storage keys (such as authentication JWTs), and perform state-changing actions on behalf of other users, including administrators.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 4 hours ago•CVE-2026-26193
7.3

CVE-2026-26193: Stored XSS via iFrame Embeds in Open WebUI Response Messages

CVE-2026-26193 is a stored Cross-Site Scripting (XSS) vulnerability in Open WebUI prior to version 0.6.44. The vulnerability arises because the rendering engine hardcodes insecure sandbox options on an iframe component used for response embeds, allowing attackers to execute JavaScript in the parent window origin.

Amit Schendel
Amit Schendel
4 views•7 min read
•about 4 hours ago•CVE-2026-34225
4.3

CVE-2026-34225: Blind Server-Side Request Forgery in Open WebUI Image Edit Endpoint

Open WebUI versions 0.7.2 and below contain a blind Server-Side Request Forgery (SSRF) vulnerability. The flaw exists within the image editing router, specifically inside the /api/v1/images/edit endpoint. An authenticated attacker with low privileges can exploit this endpoint to initiate asynchronous HTTP GET requests to local, private, or internal network services, mapping system resources and bypassing boundary restrictions.

Amit Schendel
Amit Schendel
6 views•6 min read