rm: 'rm -rf ./' (and ./// variants) silently deletes current directory contents, bypassing dot protection
🔗 CVE IDs covered (1)
📋 Description
rm -rf . is correctly refused, but clean_trailing_slashes normalizes ./// to ./ while path_is_current_or_parent_directory only matches ./.. (and /.//..), not ./ or ../. So rm -rf ./ recursively deletes the directory's contents and then prints a misleading cannot remove './': Invalid input.
Impact: all files/subdirectories in the current directory are silently deleted; the misleading error makes users miss the recovery window. Recommendation: handle trailing-slash variants in path_is_current_or_parent_directory.
Remediation: Acknowledged by Canonical; fixed in commit d0e5af23.
Reported by Zellic in the uutils coreutils Program Security Assessment (prepared for Canonical, Jan 20 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.60. Credit: Zellic.
Upstream tracking issue: https://github.com/uutils/coreutils/issues/9749 · CVE-2026-35363
🎯 Affected products1
- rust/uu_rm:< 0.6.0