CRITICAL 9.8

PYSEC-2025-67

Details

A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / upsonic

Introduced in: 0 Fixed in: 0.56.0

Fix pip install --upgrade 'upsonic>=0.56.0'

References

https://vuldb.com/?ctiid.313282 [ADVISORY]
https://vuldb.com/?id.313282 [ADVISORY]
https://vuldb.com/?submit.593096 [ADVISORY]
https://github.com/Upsonic/Upsonic/issues/356 [EVIDENCE]
https://vuldb.com/?ctiid.313282 [WEB]
https://vuldb.com/?id.313282 [WEB]
https://vuldb.com/?submit.593096 [WEB]
https://github.com/advisories/GHSA-8jf4-fcjr-68c2 [ADVISORY]