VDB
EN
MEDIUM 6.6

PYSEC-2026-2270

상세

python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / python-dotenv
최초 영향 버전: 0 수정 버전: 1.2.2
수정 pip install --upgrade 'python-dotenv>=1.2.2'

참고