CVE-2025-8917

MEDIUM5.8EPSS 0.03%

clearml is vulnerable to Path Traversal through its `safe_extract` function

Published: 10/5/2025Modified: 10/7/2025

Description

A vulnerability in clearml versions before 2.0.2 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract` function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execution if critical files are overwritten.

Affected packages (1)

PyPI/clearmlfrom 0, < 2.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.8	CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-8917
PATCHhttps://github.com/clearml/clearml
WEBhttps://github.com/clearml/clearml/commit/64fb2bcbdbb87a74af90dd723d5ef4a99fceeb73
WEBhttps://huntr.com/bounties/588fcdd1-fea4-4cc2-a9f8-851701dcb576