CVE-2025-8917

MEDIUM5.8EPSS 0.03%

clearml is vulnerable to Path Traversal through its `safe_extract` function

發布日:2025/10/5修改日:2025/10/7

描述

A vulnerability in clearml versions before 2.0.2 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract` function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execution if critical files are overwritten.

受影響套件(1)

PyPI/clearmlfrom 0, < 2.0.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.8	CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-8917
PATCHhttps://github.com/clearml/clearml
WEBhttps://github.com/clearml/clearml/commit/64fb2bcbdbb87a74af90dd723d5ef4a99fceeb73
WEBhttps://huntr.com/bounties/588fcdd1-fea4-4cc2-a9f8-851701dcb576