ГлавнаяУязвимости → CVE-2025-8406
7.8высокая

CVE-2025-8406

Описание

ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.

Затрагиваемое ПО
Zenml Zenml
CVSS
Балл7.8 — высокая
ВекторCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Источники
https://github.com/zenml-io/zenml/commit/5d22a48d7bf6c7f10b748577c2be79cc7969d398https://huntr.com/bounties/a0880d64-9928-45bf-9663-2cd81582d9e7https://huntr.com/bounties/a0880d64-9928-45bf-9663-2cd81582d9e7