Zrok WebDAV Drive Backend Symlink Following Vulnerability Allowing Arbitrary File Access

A vulnerability in the Zrok WebDAV drive backend prior to version 2.0.2 allows for symbolic links to be followed outside the designated DriveRoot. This issue enables remote WebDAV consumers to read files and, in shares without operating system-level permission restrictions, write or overwrite files anywhere on the host filesystem that is accessible to the Zrok process. The vulnerability arises because the WebDAV implementation restricts path traversal through lexical normalization but fails to prevent symlink following. Exploitation can be performed entirely over the WebDAV endpoint, without requiring authentication, user interaction, or special privileges.

Impact

Exploitation of this vulnerability allows an attacker to escape the WebDAV root and access the broader host filesystem, with high confidentiality and integrity impacts. Arbitrary files readable by the Zrok process can be accessed, and files can be overwritten, including sensitive files such as the SSH authorized_keys file.

Reproduction

To reproduce this vulnerability, create a symbolic link within the shared DriveRoot that points to a location outside of it. Once this link is established, use a WebDAV client to access the Zrok share. The WebDAV PUT handler will overwrite files at the symlink target, if it resolves outside the DriveRoot.

Remediation

Users can update to Zrok version 2.0.2 or later, where this vulnerability has been fixed.