PDM CVE-2026-47764
HIGHSeverity by source
Local install action (AV:L), no privileges needed but user must run pdm install on the malicious wheel (UI:R); arbitrary file write yields high integrity impact, no direct confidentiality loss, partial availability via overwrite.
Lifecycle Timeline
2DescriptionCVE.org
InstallDestination.write_to_fs() in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe _path_with_destdir() (which validates via Path.resolve() + is_relative_to()) with a bare os.path.join() that performs no path validation. A malicious wheel with traversal entries can write arbitrary files. Same class as Poetry CVE-2026-34591. Fix ready at: https://github.com/pdm-project/pdm/pull/3787.
AnalysisAI
Arbitrary file write via path traversal in PDM (Python Development Master) package manager allows malicious wheels to write files outside the intended installation directory during package installation. The flaw exists in InstallDestination.write_to_fs() which overrode the safe base class path validation with an unvalidated os.path.join() call, affecting PDM versions up to and including 2.22.4. No public exploit identified at time of analysis, though the issue mirrors the previously disclosed Poetry CVE-2026-34591 of the same class.
Technical ContextAI
PDM is a modern Python package and dependency manager that handles wheel (.whl) installations as part of its dependency resolution workflow. The vulnerability is rooted in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and specifically affects the symlink/hardlink-supporting override in src/pdm/installers/installers.py. The base installer class provides a _path_with_destdir() helper that uses Path.resolve() followed by is_relative_to() to ensure resolved paths remain within the destination scheme directory; PDM's override discarded this validation and used a bare os.path.join() against attacker-controlled wheel entry names, so '../' sequences inside a wheel archive resolve to arbitrary filesystem locations writable by the user running pdm install. The affected component is the pip-distributed package identified by CPE pkg:pip/pdm.
RemediationAI
Vendor-released patch: upgrade PDM to version 2.27.0 or later, which replaces the unvalidated os.path.join() with the resolved-path containment check (see pull request https://github.com/pdm-project/pdm/pull/3787 and advisory https://github.com/pdm-project/pdm/security/advisories/GHSA-78v8-vpjp-cjqh). Note that 2.27.0 also raises the minimum supported Python version to 3.10, so environments still on Python 3.9 will need to upgrade their interpreter or pin to a non-vulnerable backport if one becomes available. Until upgrade is feasible, install only wheels from trusted indexes (use --index-url with vetted internal mirrors), enable hash verification via pdm.lock with content_hash pinning, and run pdm install inside a sandboxed user account or container so any traversal write is contained to an ephemeral filesystem; the trade-off is reduced developer ergonomics and the inability to install genuinely needed third-party wheels without prior review.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-78v8-vpjp-cjqh