Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
5Blast Radius
ecosystem impact- 42 pypi packages depend on gdown (37 direct, 5 indirect)
Ecosystem-wide dependent count for version 5.2.2.
DescriptionGitHub Advisory
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.
AnalysisAI
gdown prior to version 5.2.2 allows remote attackers to write arbitrary files outside the intended extraction directory via maliciously crafted ZIP or TAR archives due to insufficient path traversal validation in the extractall functionality. An attacker can craft a malicious archive with path traversal sequences (e.g., ../ entries) in filenames, which when extracted by a user, permits file overwrite and potential remote code execution. The vulnerability requires user interaction (UI:R) to trigger extraction but affects all unauthenticated remote users downloading via the gdown library.
Technical ContextAI
gdown is a Python library for downloading files from Google Drive without authentication. The vulnerability exists in the archive extraction logic (extractall method) used to handle ZIP and TAR file formats. The library fails to canonicalize or validate archive member filenames against directory traversal patterns before writing them to disk. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) is the root cause class - a classic path traversal flaw where user-controlled filename input is not validated. When an archive contains entries with relative paths (e.g., ../../sensitive_file or /etc/passwd), the extraction proceeds without sanitization, allowing writes to arbitrary filesystem locations. This is exacerbated when the library is used in automated workflows or by applications that automatically extract downloaded archives.
RemediationAI
Vendor-released patch: gdown version 5.2.2 or later. Users should upgrade immediately by running 'pip install --upgrade gdown>=5.2.2' or equivalent for their package manager. The upstream fix (commit af569fc6ed300b7974dee66dc51e9f01b57b4dff) implements path validation in the extractall method to reject archive entries containing directory traversal sequences (../, absolute paths, etc.). For organizations unable to upgrade immediately, compensating controls include: (1) Restrict gdown usage to sandboxed environments or isolated user accounts with minimal filesystem permissions, limiting the impact radius of arbitrary file writes; (2) Disable automatic archive extraction in downstream tools-require manual review and explicit extraction commands; (3) Validate extracted file paths programmatically before processing by implementing extraction wrapper functions that reject any archive member paths containing '..' or absolute path prefixes. Note that sandboxing introduces performance overhead and wrapper functions require code changes; the patch is the preferred remediation. See https://github.com/wkentaro/gdown/security/advisories/GHSA-76hw-p97h-883f for vendor details.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23642
GHSA-76hw-p97h-883f