GHSA-89p7-7cq3-hhr2MediumCVSS 5.6

rm: 'rm -rf ./' (and ./// variants) silently deletes current directory contents, bypassing dot protection

Published
July 6, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (1)

📋 Description

rm -rf . is correctly refused, but clean_trailing_slashes normalizes ./// to ./ while path_is_current_or_parent_directory only matches ./.. (and /.//..), not ./ or ../. So rm -rf ./ recursively deletes the directory's contents and then prints a misleading cannot remove './': Invalid input.

Impact: all files/subdirectories in the current directory are silently deleted; the misleading error makes users miss the recovery window. Recommendation: handle trailing-slash variants in path_is_current_or_parent_directory.

Remediation: Acknowledged by Canonical; fixed in commit d0e5af23.


Reported by Zellic in the uutils coreutils Program Security Assessment (prepared for Canonical, Jan 20 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.60. Credit: Zellic.

Upstream tracking issue: https://github.com/uutils/coreutils/issues/9749 · CVE-2026-35363

🎯 Affected products1

  • rust/uu_rm:< 0.6.0

🔗 References (4)