CVE-2025-55214: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in copier-org copier
Copier library and CLI app for rendering project templates. From 7.1.0 to before 9.9.1, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write files outside the destination path where a project shall be generated or updated. This is possible when rendering a generated directory structure whose rendered path is either a relative parent path or an absolute path. Constructing such paths is possible using Copier's builtin pathjoin Jinja filter and its builtin _copier_conf.sep variable, which is the platform-native path separator. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. This vulnerability is fixed in 9.9.1.
AI Analysis
Technical Summary
CVE-2025-55214 is a path traversal vulnerability in the Copier library and CLI application, versions 7.1.0 up to but not including 9.9.1. Copier is a tool used to render project templates, designed to generate or update project files from predefined templates. The vulnerability arises because Copier incorrectly assumes that templates marked as safe (i.e., those not requiring the --UNSAFE or --trust flags) cannot write files outside the intended project directory. However, a malicious template author can exploit the built-in Jinja filter 'pathjoin' combined with the '_copier_conf.sep' variable (which represents the platform-native path separator) to craft directory paths that traverse outside the target directory. This allows the template to write or overwrite arbitrary files on the filesystem, limited only by the user's write permissions. Such unauthorized file writes can lead to data corruption, privilege escalation attempts, or disruption of system operations. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has a CVSS v4.0 score of 6.9 (medium severity). Exploitation requires local access and user interaction (running Copier with a malicious template), but no authentication or elevated privileges are required to trigger the issue. The vulnerability was fixed in version 9.9.1 of Copier.
Potential Impact
For European organizations, this vulnerability poses a moderate risk especially for development teams or automation pipelines that utilize Copier to generate project templates. If a malicious or compromised template is introduced—either from an untrusted source or via supply chain attacks—it could lead to unauthorized overwriting of critical files on developer machines or build servers. This could result in corrupted source code, compromised build artifacts, or even insertion of malicious code, potentially cascading into production environments. The impact is heightened in environments where Copier is used in automated CI/CD pipelines without strict template validation. Confidentiality impact is limited since the vulnerability primarily allows file overwrite rather than direct data exfiltration, but integrity and availability can be significantly affected. Given the medium CVSS score and the requirement for user interaction, the threat is moderate but should not be underestimated in sensitive or high-security environments.
Mitigation Recommendations
1. Upgrade Copier to version 9.9.1 or later immediately to apply the official patch that fixes this path traversal vulnerability. 2. Implement strict validation and vetting of all templates before use, especially those sourced externally or from third parties. 3. Restrict Copier usage to trusted users and environments, minimizing exposure to untrusted templates. 4. Employ filesystem monitoring tools to detect unexpected file writes or modifications outside designated project directories during template rendering. 5. Integrate template scanning tools or static analysis to detect suspicious path traversal patterns in templates before execution. 6. Use containerized or sandboxed environments for template rendering to limit the impact of potential file overwrites. 7. Educate developers and DevOps teams about the risks of using untrusted templates and the importance of applying the --UNSAFE or --trust flags only when absolutely necessary and with caution.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland
CVE-2025-55214: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in copier-org copier
Description
Copier library and CLI app for rendering project templates. From 7.1.0 to before 9.9.1, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write files outside the destination path where a project shall be generated or updated. This is possible when rendering a generated directory structure whose rendered path is either a relative parent path or an absolute path. Constructing such paths is possible using Copier's builtin pathjoin Jinja filter and its builtin _copier_conf.sep variable, which is the platform-native path separator. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. This vulnerability is fixed in 9.9.1.
AI-Powered Analysis
Technical Analysis
CVE-2025-55214 is a path traversal vulnerability in the Copier library and CLI application, versions 7.1.0 up to but not including 9.9.1. Copier is a tool used to render project templates, designed to generate or update project files from predefined templates. The vulnerability arises because Copier incorrectly assumes that templates marked as safe (i.e., those not requiring the --UNSAFE or --trust flags) cannot write files outside the intended project directory. However, a malicious template author can exploit the built-in Jinja filter 'pathjoin' combined with the '_copier_conf.sep' variable (which represents the platform-native path separator) to craft directory paths that traverse outside the target directory. This allows the template to write or overwrite arbitrary files on the filesystem, limited only by the user's write permissions. Such unauthorized file writes can lead to data corruption, privilege escalation attempts, or disruption of system operations. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has a CVSS v4.0 score of 6.9 (medium severity). Exploitation requires local access and user interaction (running Copier with a malicious template), but no authentication or elevated privileges are required to trigger the issue. The vulnerability was fixed in version 9.9.1 of Copier.
Potential Impact
For European organizations, this vulnerability poses a moderate risk especially for development teams or automation pipelines that utilize Copier to generate project templates. If a malicious or compromised template is introduced—either from an untrusted source or via supply chain attacks—it could lead to unauthorized overwriting of critical files on developer machines or build servers. This could result in corrupted source code, compromised build artifacts, or even insertion of malicious code, potentially cascading into production environments. The impact is heightened in environments where Copier is used in automated CI/CD pipelines without strict template validation. Confidentiality impact is limited since the vulnerability primarily allows file overwrite rather than direct data exfiltration, but integrity and availability can be significantly affected. Given the medium CVSS score and the requirement for user interaction, the threat is moderate but should not be underestimated in sensitive or high-security environments.
Mitigation Recommendations
1. Upgrade Copier to version 9.9.1 or later immediately to apply the official patch that fixes this path traversal vulnerability. 2. Implement strict validation and vetting of all templates before use, especially those sourced externally or from third parties. 3. Restrict Copier usage to trusted users and environments, minimizing exposure to untrusted templates. 4. Employ filesystem monitoring tools to detect unexpected file writes or modifications outside designated project directories during template rendering. 5. Integrate template scanning tools or static analysis to detect suspicious path traversal patterns in templates before execution. 6. Use containerized or sandboxed environments for template rendering to limit the impact of potential file overwrites. 7. Educate developers and DevOps teams about the risks of using untrusted templates and the importance of applying the --UNSAFE or --trust flags only when absolutely necessary and with caution.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-08-08T21:55:07.967Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68a3592dad5a09ad00b0a8b6
Added to database: 8/18/2025, 4:47:41 PM
Last enriched: 8/18/2025, 5:03:46 PM
Last updated: 8/19/2025, 12:34:27 AM
Views: 4
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.