shamefile CVE-2026-47144
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
A path traversal vulnerability in shame next allows an attacker-controlled shamefile.yaml to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details.
Patches
Fixed in 0.1.7. Upgrade to either 0.1.7 or later versions to incorporate the patch.
Workarounds
Do not run shame next against untrusted shamefile.yaml. Use shame me --dry-run for CI validation.
Resources
- Patch commit: https://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc43557
- Pull request: https://github.com/BKDDFS/shamefile/pull/80
- Release: https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
AnalysisAI
Path traversal in the shame next subcommand of shamefile (pip/npm/Rust) allows an attacker who controls a shamefile.yaml to read one line at a time from any file accessible to the user running the command, including files outside the repository. Affected versions are 0.1.6 and earlier across all three package ecosystems; the fix in 0.1.7 eliminates disk reads entirely by rendering snippets from the registry's cached content field. No public exploit identified at time of analysis, and no CISA KEV listing, but the patch commit fully documents the vulnerable code path.
Technical ContextAI
shamefile is a code-suppression tracking tool distributed across pip, npm, and Rust (pkg:pip/shamefile, pkg:npm/shamefile, pkg:rust/shamefile). Its shame next subcommand processes a shamefile.yaml registry that maps suppression tokens to source code location fields. The vulnerable snippet renderer opened the file specified by location directly from disk without canonicalizing or bounding the path to the repository root, a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) defect. An attacker-controlled location value using absolute paths (e.g., /etc/passwd:1) or parent-directory traversal (../../.ssh/id_rsa:1) caused the renderer to open and display one line of the targeted file in the terminal. The fix (commit 77b0aeea) removes all disk I/O from the snippet renderer, reading exclusively from the content field already stored in the registry, so the location value can no longer be weaponized as a file pointer.
RemediationAI
Upgrade shamefile to version 0.1.7 or later in all applicable package ecosystems; the patched release is available at https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7 and the fix is implemented in commit 77b0aeea318503582818c708518c601fedc43557. If an immediate upgrade is not feasible, the vendor's documented workaround is to avoid running shame next against any shamefile.yaml whose origin is not fully trusted; instead, use shame me --dry-run for CI validation, as this subcommand does not invoke the vulnerable snippet renderer. Organizations should audit CI pipelines and developer scripts for any automated invocation of shame next on checked-out repositories, particularly those that process external pull requests, as these workflows represent the highest-risk deployment pattern. Note that the --dry-run workaround trades off full shame next functionality for safety until a patch can be applied.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x6p3-76f2-xxvh