Skip to main content

shamefile CVE-2026-47144

MEDIUM
Path Traversal (CWE-22)
2026-05-28 https://github.com/BKDDFS/shamefile GHSA-x6p3-76f2-xxvh
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 28, 2026 - 20:51 vuln.today
Analysis Generated
May 28, 2026 - 20:51 vuln.today

DescriptionGitHub Advisory

Impact

A path traversal vulnerability in shame next allows an attacker-controlled shamefile.yaml to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details.

Patches

Fixed in 0.1.7. Upgrade to either 0.1.7 or later versions to incorporate the patch.

Workarounds

Do not run shame next against untrusted shamefile.yaml. Use shame me --dry-run for CI validation.

Resources

AnalysisAI

Path traversal in the shame next subcommand of shamefile (pip/npm/Rust) allows an attacker who controls a shamefile.yaml to read one line at a time from any file accessible to the user running the command, including files outside the repository. Affected versions are 0.1.6 and earlier across all three package ecosystems; the fix in 0.1.7 eliminates disk reads entirely by rendering snippets from the registry's cached content field. No public exploit identified at time of analysis, and no CISA KEV listing, but the patch commit fully documents the vulnerable code path.

Technical ContextAI

shamefile is a code-suppression tracking tool distributed across pip, npm, and Rust (pkg:pip/shamefile, pkg:npm/shamefile, pkg:rust/shamefile). Its shame next subcommand processes a shamefile.yaml registry that maps suppression tokens to source code location fields. The vulnerable snippet renderer opened the file specified by location directly from disk without canonicalizing or bounding the path to the repository root, a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) defect. An attacker-controlled location value using absolute paths (e.g., /etc/passwd:1) or parent-directory traversal (../../.ssh/id_rsa:1) caused the renderer to open and display one line of the targeted file in the terminal. The fix (commit 77b0aeea) removes all disk I/O from the snippet renderer, reading exclusively from the content field already stored in the registry, so the location value can no longer be weaponized as a file pointer.

RemediationAI

Upgrade shamefile to version 0.1.7 or later in all applicable package ecosystems; the patched release is available at https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7 and the fix is implemented in commit 77b0aeea318503582818c708518c601fedc43557. If an immediate upgrade is not feasible, the vendor's documented workaround is to avoid running shame next against any shamefile.yaml whose origin is not fully trusted; instead, use shame me --dry-run for CI validation, as this subcommand does not invoke the vulnerable snippet renderer. Organizations should audit CI pipelines and developer scripts for any automated invocation of shame next on checked-out repositories, particularly those that process external pull requests, as these workflows represent the highest-risk deployment pattern. Note that the --dry-run workaround trades off full shame next functionality for safety until a patch can be applied.

Share

CVE-2026-47144 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy