Skip to main content

Google CVE-2026-40491

| EUVDEUVD-2026-23642 MEDIUM
Path Traversal (CWE-22)
2026-04-18 GitHub_M GHSA-76hw-p97h-883f
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Patch released
Apr 18, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 18, 2026 - 02:40 vuln.today
EUVD ID Assigned
Apr 18, 2026 - 02:30 euvd
EUVD-2026-23642
Analysis Generated
Apr 18, 2026 - 02:30 vuln.today
CVE Published
Apr 18, 2026 - 01:36 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 42 pypi packages depend on gdown (37 direct, 5 indirect)

Ecosystem-wide dependent count for version 5.2.2.

DescriptionGitHub Advisory

gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.

AnalysisAI

gdown prior to version 5.2.2 allows remote attackers to write arbitrary files outside the intended extraction directory via maliciously crafted ZIP or TAR archives due to insufficient path traversal validation in the extractall functionality. An attacker can craft a malicious archive with path traversal sequences (e.g., ../ entries) in filenames, which when extracted by a user, permits file overwrite and potential remote code execution. The vulnerability requires user interaction (UI:R) to trigger extraction but affects all unauthenticated remote users downloading via the gdown library.

Technical ContextAI

gdown is a Python library for downloading files from Google Drive without authentication. The vulnerability exists in the archive extraction logic (extractall method) used to handle ZIP and TAR file formats. The library fails to canonicalize or validate archive member filenames against directory traversal patterns before writing them to disk. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) is the root cause class - a classic path traversal flaw where user-controlled filename input is not validated. When an archive contains entries with relative paths (e.g., ../../sensitive_file or /etc/passwd), the extraction proceeds without sanitization, allowing writes to arbitrary filesystem locations. This is exacerbated when the library is used in automated workflows or by applications that automatically extract downloaded archives.

RemediationAI

Vendor-released patch: gdown version 5.2.2 or later. Users should upgrade immediately by running 'pip install --upgrade gdown>=5.2.2' or equivalent for their package manager. The upstream fix (commit af569fc6ed300b7974dee66dc51e9f01b57b4dff) implements path validation in the extractall method to reject archive entries containing directory traversal sequences (../, absolute paths, etc.). For organizations unable to upgrade immediately, compensating controls include: (1) Restrict gdown usage to sandboxed environments or isolated user accounts with minimal filesystem permissions, limiting the impact radius of arbitrary file writes; (2) Disable automatic archive extraction in downstream tools-require manual review and explicit extraction commands; (3) Validate extracted file paths programmatically before processing by implementing extraction wrapper functions that reject any archive member paths containing '..' or absolute path prefixes. Note that sandboxing introduces performance overhead and wrapper functions require code changes; the patch is the preferred remediation. See https://github.com/wkentaro/gdown/security/advisories/GHSA-76hw-p97h-883f for vendor details.

Share

CVE-2026-40491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy