MEDIUM 6.3
PYSEC-2026-2071
ZenML is vulnerable to Path Traversal through its `PathMaterializer` class
상세
ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://nvd.nist.gov/vuln/detail/CVE-2025-8406 [ADVISORY]
- https://github.com/zenml-io/zenml/commit/5d22a48d7bf6c7f10b748577c2be79cc7969d398 [WEB]
- https://github.com/zenml-io/zenml [PACKAGE]
- https://huntr.com/bounties/a0880d64-9928-45bf-9663-2cd81582d9e7 [WEB]
- https://pypi.org/project/zenml [PACKAGE]
- https://github.com/advisories/GHSA-q92x-2x5g-h365 [ADVISORY]