CVE-2025-8406
Path Traversal in zenml-io/zenml
ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Produtos afetados
zenml-io · zenml-io/zenmlQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →