Skip to main content

Gleam CLI CVE-2026-32685

| EUVDEUVD-2026-33927 MEDIUM
Path Traversal (CWE-22)
2026-06-02 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
Jun 02, 2026 - 16:01 EUVD
Source Code Evidence Fetched
Jun 02, 2026 - 14:38 vuln.today
Analysis Generated
Jun 02, 2026 - 14:38 vuln.today

DescriptionCVE.org

Path traversal vulnerability in Gleam's handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory.

The documentation.pages entries from gleam.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended project and documentation output directories. The documentation.pages[].path field can be used to write generated documentation files outside the intended build/dev/docs/<package>/ output directory. The documentation.pages[].source field can be used to read files outside the project directory and embed their contents into generated documentation output.

An attacker who can convince a victim to run gleam docs build on an untrusted project, or with untrusted gleam.toml content, can cause local files readable by the victim to be included in generated documentation artifacts, and can cause generated documentation files to be written outside the intended docs output directory.

This issue affects Gleam from 1.16.0 until 1.17.0.

AnalysisAI

Path traversal in Gleam's documentation build tooling allows arbitrary file read and write on a developer's workstation when gleam docs build is run against a malicious project. The documentation.pages[].source and documentation.pages[].path fields in gleam.toml accept unsanitized filesystem paths, enabling an attacker who controls gleam.toml content to exfiltrate local files (embedded into generated docs artifacts) or write generated files to arbitrary locations outside build/dev/docs/. Affected versions span only Gleam 1.16.x; no public exploit identified at time of analysis and no KEV listing, but the attack surface is any developer who clones and builds documentation for an untrusted Gleam project.

Technical ContextAI

Gleam is a statically-typed functional language that compiles to Erlang and JavaScript. Its CLI tool includes a gleam docs build command that reads documentation page configuration from gleam.toml. The vulnerable code (compiler-cli/src/docs.rs) incorporated documentation.pages[].path and documentation.pages[].source fields directly into filesystem path operations via the normalize_path_within_base function, which was intended to confine paths to the project root and build/dev/docs/<package>/ output directory respectively. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) applies: the normalization function using Utf8Component iteration failed to sufficiently prevent escape via relative path sequences, allowing a crafted gleam.toml with values like ../../escape.html or a source pointing above the project root to traverse directory boundaries. The two fix commits (81570611 and c9230cd3) rework this path handling in compiler-cli/src/docs.rs.

RemediationAI

Upgrade to Gleam 1.17.0, which contains the fixes in commits 81570611906b6b0039c948037094d09a68700f3a and c9230cd3045de8fd8481dae3a4557c0146df1430 that correct path confinement in compiler-cli/src/docs.rs. Advisory details at https://github.com/gleam-lang/gleam/security/advisories/GHSA-wjx8-7w8m-p4v7. As a compensating control for teams that cannot immediately upgrade, avoid running gleam docs build on projects with untrusted or unreviewed gleam.toml files; manually inspect the documentation.pages[].path and documentation.pages[].source fields for directory traversal sequences (../) before executing the docs build command. This inspection can be incorporated into code review gates or CI pre-checks for third-party Gleam dependencies. There is no known server-side exposure - the attack requires local execution, so blocking at the developer workstation policy level is an effective interim control.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-32685 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy