Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Path traversal vulnerability in Gleam's handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory.
The documentation.pages entries from gleam.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended project and documentation output directories. The documentation.pages[].path field can be used to write generated documentation files outside the intended build/dev/docs/<package>/ output directory. The documentation.pages[].source field can be used to read files outside the project directory and embed their contents into generated documentation output.
An attacker who can convince a victim to run gleam docs build on an untrusted project, or with untrusted gleam.toml content, can cause local files readable by the victim to be included in generated documentation artifacts, and can cause generated documentation files to be written outside the intended docs output directory.
This issue affects Gleam from 1.16.0 until 1.17.0.
AnalysisAI
Path traversal in Gleam's documentation build tooling allows arbitrary file read and write on a developer's workstation when gleam docs build is run against a malicious project. The documentation.pages[].source and documentation.pages[].path fields in gleam.toml accept unsanitized filesystem paths, enabling an attacker who controls gleam.toml content to exfiltrate local files (embedded into generated docs artifacts) or write generated files to arbitrary locations outside build/dev/docs/. Affected versions span only Gleam 1.16.x; no public exploit identified at time of analysis and no KEV listing, but the attack surface is any developer who clones and builds documentation for an untrusted Gleam project.
Technical ContextAI
Gleam is a statically-typed functional language that compiles to Erlang and JavaScript. Its CLI tool includes a gleam docs build command that reads documentation page configuration from gleam.toml. The vulnerable code (compiler-cli/src/docs.rs) incorporated documentation.pages[].path and documentation.pages[].source fields directly into filesystem path operations via the normalize_path_within_base function, which was intended to confine paths to the project root and build/dev/docs/<package>/ output directory respectively. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) applies: the normalization function using Utf8Component iteration failed to sufficiently prevent escape via relative path sequences, allowing a crafted gleam.toml with values like ../../escape.html or a source pointing above the project root to traverse directory boundaries. The two fix commits (81570611 and c9230cd3) rework this path handling in compiler-cli/src/docs.rs.
RemediationAI
Upgrade to Gleam 1.17.0, which contains the fixes in commits 81570611906b6b0039c948037094d09a68700f3a and c9230cd3045de8fd8481dae3a4557c0146df1430 that correct path confinement in compiler-cli/src/docs.rs. Advisory details at https://github.com/gleam-lang/gleam/security/advisories/GHSA-wjx8-7w8m-p4v7. As a compensating control for teams that cannot immediately upgrade, avoid running gleam docs build on projects with untrusted or unreviewed gleam.toml files; manually inspect the documentation.pages[].path and documentation.pages[].source fields for directory traversal sequences (../) before executing the docs build command. This inspection can be incorporated into code review gates or CI pre-checks for third-party Gleam dependencies. There is no known server-side exposure - the attack requires local execution, so blocking at the developer workstation policy level is an effective interim control.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33927