compliance-trestle CVE-2026-46345
HIGHSeverity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Relevant Products/Components:
trestle/core/commands/author/jinja.pytrestle author jinja
---
Detailed Description:
The -o/--output argument in trestle author jinja allows writing files outside the intended workspace.
The application does not properly validate:
../..\- absolute paths
This allows arbitrary file write to attacker-controlled locations.
Vulnerable code:
output_file = trestle_root / r_output_fileAn attacker can overwrite files such as:
.github/workflows/*.yml.git/hooks/*- user writable config files
This can lead to CI/CD compromise or local code execution.
---
Steps To Reproduce:
- Clone the repository:
git clone https://github.com/oscal-compass/compliance-trestle.git
cd compliance-trestle- Create template:
echo "hello" > template.j2- Run:
trestle author jinja -i template.j2 -o "subdir\..\..\..\..\..\poc.txt"- Observe:
dir E:\poc.txtThe file is written outside the repository workspace.
---
Browsers Verified In:
Not browser related.
Tested on:
- Windows 11
- Python 3.13
---
Supporting Material/References:
Affected file:
trestle/core/commands/author/jinja.pySuccessfully verified:
- directory traversal using
../ - Windows traversal using
..\ - arbitrary file write outside workspace
---
Access Vector Required for Exploitation:
Local
---
Vulnerability Exists in Default Configuration?:
Yes
---
Is the exploitation trivial or does it involve a multi-step process that may depend on user/victim interaction?:
Trivial. Single command execution.
---
Exploitation Requires Authentication?:
No
---
Under what privileges does the vulnerable service or component run?:
Runs with privileges of the user executing the trestle command.
Impact
An attacker can write files outside the intended workspace directory and overwrite sensitive files writable by the current user.
Possible impacts include:
- overwriting
.github/workflows/*.ymlto execute attacker-controlled GitHub Actions workflows - overwriting
.git/hooks/*for local code execution - modifying user configuration files such as
.bashrc - tampering with repository files and generated compliance artifacts
In CI/CD environments, this may result in execution of attacker-controlled commands on build runners.
AnalysisAI
Arbitrary file write in compliance-trestle's trestle author jinja command allows a local user supplying a crafted -o/--output argument to write files anywhere the invoking user can write, due to missing validation of ../, ..\, and absolute paths. Affected versions are <= 3.12.1 and >= 4.0.0, < 4.0.3, with fixes in 3.12.2 and 4.0.3. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-4q5v-7g7x-j79w) includes a full reproducer; CVSS 8.4 reflects high impact on confidentiality, integrity, and availability.
Technical ContextAI
compliance-trestle is the OSCAL-compass Python tool (distributed via PyPI as compliance-trestle) used to author and validate NIST OSCAL compliance artifacts. The trestle author jinja subcommand renders Jinja2 templates and writes the result to a path supplied by the user. The vulnerable construct in trestle/core/commands/author/jinja.py is output_file = trestle_root / r_output_file - under Python's pathlib, /-joining with an absolute path discards the left operand, and joining with .. segments simply walks the resulting path upward, so neither relative traversal sequences nor absolute paths are normalized or constrained to the trestle workspace root. This is a textbook CWE-22 Path Traversal in a CLI sink. The same patch series (commits 247fcce and 7d107b3) additionally hardens the Jinja render pipeline by removing recursive template re-evaluation of rendered output, mitigating an SSTI-style attack path through untrusted template variables.
RemediationAI
Upgrade to the vendor-released patched versions: compliance-trestle 3.12.2 on the 3.x branch or 4.0.3 on the 4.x branch (pip install --upgrade compliance-trestle4.0.3 or 3.12.2); fix commits are 247fcce289f60103f3d8e28d8ec51a6986b94fb6 and 7d107b3ac53caca7bde97a6278b23cd739d94525, and the advisory is at https://github.com/oscal-compass/compliance-trestle/security/advisories/GHSA-4q5v-7g7x-j79w. Until upgrade is possible, do not pass untrusted values to -o/--output, treat templates and template metadata from untrusted repositories as hostile, and in CI run trestle author jinja only inside an ephemeral container or sandbox whose filesystem does not contain .github/workflows, .git/hooks, or user dotfiles writable by the build user (trade-off: requires pipeline restructuring and may break workflows that intentionally write generated docs back into the workspace). On shared developer hosts, restrict who can invoke trestle and avoid running it from a path with write access to sensitive parent directories.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4q5v-7g7x-j79w