UNIX Symbolic Link (Symlink) Following Affecting skillctl package, versions <0.1.2


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about UNIX Symbolic Link (Symlink) Following vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-SKILLCTL-17661111
  • published28 Jun 2026
  • disclosed5 Jun 2026
  • creditUnknown

Introduced: 5 Jun 2026

New CVE NOT AVAILABLE CWE-22  (opens in a new tab)
CWE-61  (opens in a new tab)

How to fix?

Upgrade skillctl to version 0.1.2 or higher.

Overview

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following via improper validation of file paths and symlinks in multiple processes. An attacker can access or delete arbitrary files and directories on the system by supplying malicious symlinks, manipulating configuration fields such as destination or source_path, or using crafted command-line arguments. This is only exploitable if a user processes a malicious skills library or merges a pull request containing a crafted .skills.toml file.

CVSS Base Scores

version 4.0
version 3.1