CVE-2025-8406
MEDIUM6.3EPSS 0.04%ZenML is vulnerable to Path Traversal through its `PathMaterializer` class
發布日:2025/10/5修改日:2025/10/7
描述
ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.
受影響套件(1)
- PyPI/zenml>= 0.81.0, < 0.84.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H |