Skip to main content

rattler CVE-2026-47425

MEDIUM
Path Traversal (CWE-22)
2026-06-01 https://github.com/conda/rattler GHSA-q53q-5r4j-5729
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 01, 2026 - 14:54 vuln.today
Analysis Generated
Jun 01, 2026 - 14:54 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 pypi packages depend on py-rattler (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.24.0.

DescriptionCVE.org

Summary

EntryPoint::FromStr in rattler_conda_types performs only .trim() on the command field before the linker joins it onto the install prefix and writes an executable Python script. A malicious noarch:python package can ship an info/link.json with an entry-point name containing .., /, \, or an absolute path; the resulting file is written outside the prefix (or clobbers an existing in-prefix entry-point such as bin/pip) with mode 0o775 on Unix and a copied launcher .exe on Windows. This affects the default install path of pixi install, rattler-build, some methods in py-rattler, and any other consumer of the rattler install crate; no flag or post-link-script opt-in is involved.

Resolved in https://github.com/conda/rattler/pull/2445, released in rattler 0.43.2.

Affected

  • Repository: https://github.com/conda/rattler
  • Commit: a0e61a33da8b9d6de712fab2a879fa9da977e6e3 (HEAD at audit time, 2026-05-13 release)
  • Downstream consumers reached through the same code path: prefix-dev/pixi @ e640477
  • pixi 0.69.0 and rattler-build 0.65.0 fix this issue

Researcher

Berkant Koc <me@berkoc.com> PGP: 0C588DFD76204987284213EA0AC529C41F8AA5D6

AnalysisAI

Arbitrary file write via path traversal in rattler's noarch:python entry-point installer allows a malicious conda package to write executable files outside the install prefix on both Unix and Windows. Any user of rattler < 0.43.2, pixi < 0.69.0, or rattler-build < 0.65.0 who installs a crafted noarch:python package is affected - no special configuration or flag opt-in is required. The attacker-controlled file is written with mode 0o775 on Unix or as a copied launcher .exe on Windows, enabling code execution when the entry-point is subsequently invoked. No public exploit code is identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The affected code path is EntryPoint::FromStr in the rattler_conda_types Rust crate, which applies only .trim() sanitization to the command field parsed from a conda package's info/link.json. The install crate's create_unix_python_entry_point and create_windows_python_entry_point functions then construct the output path by calling python_info.bin_dir.join(&entry_point.command) and joining that result onto the install prefix. Rust's std::path::Path::join silently replaces the entire accumulated path when given an absolute right-hand side, and preserves .. components literally without normalization - meaning a crafted command value such as ../../bin/pip or /etc/cron.d/evil will resolve outside the intended prefix boundary. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) precisely characterizes this root cause: the code constructs a filesystem path from untrusted input without canonicalization or prefix-containment verification. The fix in PR #2445 introduces a ValidatedRelativePath newtype that rejects absolute paths, drive/root components, and any .. that would pop above the prefix before any file is written, enforcing the invariant at the type level so the compiler rejects unvalidated paths.

RemediationAI

Upgrade to rattler 0.43.2 or later, which contains the fix from PR #2445 (https://github.com/conda/rattler/pull/2445). Downstream users should upgrade pixi to 0.69.0 or later and rattler-build to 0.65.0 or later - both releases incorporate the patched rattler crate. As a compensating control prior to patching, restrict conda package sources to trusted, audited channels with package signing enabled, and audit info/link.json entry-point command fields in any noarch:python packages before installation. Blocking installation from anonymous or untrusted channels reduces the supply-chain attack surface significantly, though with the trade-off of reduced package availability. There is no known runtime flag or configuration setting that disables the vulnerable code path - the fix must be applied at the library level.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-47425 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy