rattler CVE-2026-47425
MEDIUMLifecycle Timeline
2Blast Radius
ecosystem impact- 3 pypi packages depend on py-rattler (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.24.0.
DescriptionCVE.org
Summary
EntryPoint::FromStr in rattler_conda_types performs only .trim() on the command field before the linker joins it onto the install prefix and writes an executable Python script. A malicious noarch:python package can ship an info/link.json with an entry-point name containing .., /, \, or an absolute path; the resulting file is written outside the prefix (or clobbers an existing in-prefix entry-point such as bin/pip) with mode 0o775 on Unix and a copied launcher .exe on Windows. This affects the default install path of pixi install, rattler-build, some methods in py-rattler, and any other consumer of the rattler install crate; no flag or post-link-script opt-in is involved.
Resolved in https://github.com/conda/rattler/pull/2445, released in rattler 0.43.2.
Affected
- Repository: https://github.com/conda/rattler
- Commit:
a0e61a33da8b9d6de712fab2a879fa9da977e6e3(HEAD at audit time, 2026-05-13 release) - Downstream consumers reached through the same code path:
prefix-dev/pixi@e640477 - pixi 0.69.0 and rattler-build 0.65.0 fix this issue
Researcher
Berkant Koc <me@berkoc.com> PGP: 0C588DFD76204987284213EA0AC529C41F8AA5D6
AnalysisAI
Arbitrary file write via path traversal in rattler's noarch:python entry-point installer allows a malicious conda package to write executable files outside the install prefix on both Unix and Windows. Any user of rattler < 0.43.2, pixi < 0.69.0, or rattler-build < 0.65.0 who installs a crafted noarch:python package is affected - no special configuration or flag opt-in is required. The attacker-controlled file is written with mode 0o775 on Unix or as a copied launcher .exe on Windows, enabling code execution when the entry-point is subsequently invoked. No public exploit code is identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
The affected code path is EntryPoint::FromStr in the rattler_conda_types Rust crate, which applies only .trim() sanitization to the command field parsed from a conda package's info/link.json. The install crate's create_unix_python_entry_point and create_windows_python_entry_point functions then construct the output path by calling python_info.bin_dir.join(&entry_point.command) and joining that result onto the install prefix. Rust's std::path::Path::join silently replaces the entire accumulated path when given an absolute right-hand side, and preserves .. components literally without normalization - meaning a crafted command value such as ../../bin/pip or /etc/cron.d/evil will resolve outside the intended prefix boundary. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) precisely characterizes this root cause: the code constructs a filesystem path from untrusted input without canonicalization or prefix-containment verification. The fix in PR #2445 introduces a ValidatedRelativePath newtype that rejects absolute paths, drive/root components, and any .. that would pop above the prefix before any file is written, enforcing the invariant at the type level so the compiler rejects unvalidated paths.
RemediationAI
Upgrade to rattler 0.43.2 or later, which contains the fix from PR #2445 (https://github.com/conda/rattler/pull/2445). Downstream users should upgrade pixi to 0.69.0 or later and rattler-build to 0.65.0 or later - both releases incorporate the patched rattler crate. As a compensating control prior to patching, restrict conda package sources to trusted, audited channels with package signing enabled, and audit info/link.json entry-point command fields in any noarch:python packages before installation. Blocking installation from anonymous or untrusted channels reduces the supply-chain attack surface significantly, though with the trade-off of reduced package availability. There is no known runtime flag or configuration setting that disables the vulnerable code path - the fix must be applied at the library level.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-q53q-5r4j-5729