CVE-2026-54557: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in jdx mise
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, PathBuf::join discards the intended mise installs root. A repository-controlled .tool-versions file can therefore make mise install create a symlink outside the mise install tree. With bin_path, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to PATH. This vulnerability is fixed in 2026.6.1.
AI Analysis
Technical Summary
The jdx mise tool manages developer tools installations and prior to version 2026.6.1, its HTTP backend constructs symlink destinations using the raw resolved version string for non-latest versions. On Unix-like systems, if this version string is an absolute path, the path joining logic discards the intended root directory, enabling a path traversal attack. An attacker controlling the .tool-versions file can cause mise to create symlinks outside the installation tree, including placing executable symlinks under arbitrary absolute paths that may be included in the PATH environment variable. This vulnerability is addressed in mise version 2026.6.1.
Potential Impact
This vulnerability allows an attacker with control over the .tool-versions file to create symbolic links outside the intended installation directory, potentially placing executable symlinks in attacker-chosen locations. This can lead to unauthorized modification of the filesystem structure and influence over executable paths, which may result in execution of attacker-controlled binaries. The CVSS score of 5.5 (medium) reflects limited attack vector (local) and required user interaction, with no confidentiality or availability impact but high integrity impact.
Mitigation Recommendations
A fix is available in mise version 2026.6.1. Users should upgrade to this version or later to remediate the vulnerability. No other vendor advisories or temporary mitigations are provided. Until upgrading, avoid using untrusted .tool-versions files to prevent exploitation.
CVE-2026-54557: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in jdx mise
Description
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, PathBuf::join discards the intended mise installs root. A repository-controlled .tool-versions file can therefore make mise install create a symlink outside the mise install tree. With bin_path, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to PATH. This vulnerability is fixed in 2026.6.1.
CVSS v3.1
Score 5.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The jdx mise tool manages developer tools installations and prior to version 2026.6.1, its HTTP backend constructs symlink destinations using the raw resolved version string for non-latest versions. On Unix-like systems, if this version string is an absolute path, the path joining logic discards the intended root directory, enabling a path traversal attack. An attacker controlling the .tool-versions file can cause mise to create symlinks outside the installation tree, including placing executable symlinks under arbitrary absolute paths that may be included in the PATH environment variable. This vulnerability is addressed in mise version 2026.6.1.
Potential Impact
This vulnerability allows an attacker with control over the .tool-versions file to create symbolic links outside the intended installation directory, potentially placing executable symlinks in attacker-chosen locations. This can lead to unauthorized modification of the filesystem structure and influence over executable paths, which may result in execution of attacker-controlled binaries. The CVSS score of 5.5 (medium) reflects limited attack vector (local) and required user interaction, with no confidentiality or availability impact but high integrity impact.
Mitigation Recommendations
A fix is available in mise version 2026.6.1. Users should upgrade to this version or later to remediate the vulnerability. No other vendor advisories or temporary mitigations are provided. Until upgrading, avoid using untrusted .tool-versions files to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-15T19:04:14.456Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3eb5316e08203f7dd21fca
Added to database: 06/26/2026, 17:21:53 UTC
Last enriched: 06/26/2026, 17:37:07 UTC
Last updated: 06/26/2026, 18:32:47 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.