Threats Tagged 'cwe-61'

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.

A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.

CVE-2026-42275 is a high-severity vulnerability in openziti zrok prior to version 2. 0. 2. The zrok WebDAV drive backend improperly handles symbolic links, allowing remote WebDAV clients to access files outside the intended shared directory. This occurs because while path traversal is restricted via lexical normalization, symlink following is not prevented. As a result, attackers can read and potentially write or overwrite files anywhere accessible to the zrok process if OS-level permissions are not restrictive. The issue has been addressed in version 2. 0. 2.

A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference (or -n) flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force (overwrite) mode was also enabled. This flaw causes ln to follow a symbolic link that points to a directory and create new links inside that target directory instead of treating the symbolic link itself as the destination. In environments where a privileged user or system script uses ln -n to update a symlink, a local attacker could manipulate existing symbolic links to redirect file creation into sensitive directories, potentially leading to unauthorized file creation or system misconfiguration.

Claude Code versions prior to 2. 1. 64 contain a path traversal vulnerability in their sandbox implementation. The sandbox did not prevent sandboxed processes from creating symbolic links pointing outside the workspace. When the unsandboxed process wrote to a path through such a symlink, it could write outside the intended sandbox without user confirmation. This combination allows sandbox escape and potential code execution outside the sandbox. Exploitation requires injecting untrusted content to trigger sandboxed code execution. Users with standard auto-updates have received the fix; manual update to version 2. 1. 64 or later is advised.

python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system. When after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root. This issue affects Junos OS: * all versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R2. This issue does not affect versions 25.4R1 or later.

CVE-2026-39860 is a critical vulnerability in the Nix package manager affecting Linux sandboxed builds. It arises from a flaw in the fix for a previous vulnerability (CVE-2024-27297) that allows arbitrary file overwrites by following symbolic links during fixed-output derivation output registration. This can be exploited by users who can submit builds to the Nix daemon, potentially leading to root privilege escalation by overwriting sensitive files. The issue does not affect sandboxed macOS builds. Multiple versions of Nix prior to specific fixed releases are vulnerable. The vulnerability has a CVSS score of 9. A fix is available in Nix versions 2. 28. 6, 2. 29.

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not realpath-based. Because of that, a file like partials/link.liquid passes the directory containment check as long as its pathname is under the allowed root. If link.liquid is actually a symlink to a file outside the allowed root, the filesystem follows the symlink when the file is opened and LiquidJS renders the external target. So the restriction is applied to the path string that was requested, not to the file that is actually read. This matters in environments where an attacker can place templates or otherwise influence files under a trusted template root, including uploaded themes, extracted archives, mounted content, or repository-controlled template trees. This vulnerability is fixed in 10.25.3.