CVE-2025-8406
Path Traversal in zenml-io/zenml
ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Productos afectados
zenml-io · zenml-io/zenml¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →