Skip to main content

Copier EUVDEUVD-2026-42309

| CVE-2026-53951 HIGH
Path Traversal (CWE-22)
2026-07-08 GitHub_M
8.8
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.0 HIGH

Local CLI execution (AV:L) needing an operator to run Copier (UI:R) with a pre-set trusted prefix and a crafted traversal path (AC:H); code execution as the user yields C/I/A:H, scope unchanged.

3.1 AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jul 08, 2026 - 17:01 EUVD
Analysis Generated
Jul 08, 2026 - 16:26 vuln.today
CVE Published
Jul 08, 2026 - 15:26 cve.org
HIGH 8.8

DescriptionCVE.org

Copier is a library and CLI app for rendering project templates. In versions 9.5.0 through 9.15.1, the trust setting's prefix match (copier/_settings.py) compares the template URL against a trusted prefix with a raw str.startswith and no path normalization, while the URL is normalized when the template is actually fetched (Path.resolve() for local paths; libcurl dot-segment removal for https). A template reference that textually starts with a trusted prefix but contains .. is therefore granted trust yet resolves to a different, attacker-controlled template, whose tasks / migrations / jinja_extensions then run without the --trust prompt - arbitrary command execution. Version 9.15.2 patches the issue.

AnalysisAI

Trust-boundary bypass in Copier 9.5.0 through 9.15.1 lets an attacker-controlled template execute arbitrary commands without the usual --trust confirmation. The flaw stems from the trust prefix check using a raw str.startswith on the un-normalized template URL, so a reference that textually begins with a trusted prefix but contains '..' is granted trust while actually resolving to a different template whose tasks/migrations/jinja_extensions then run. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft template ref with trusted prefix plus '..'
Delivery
Victim runs Copier with a trusted prefix configured
Exploit
startswith grants trust but URL resolves elsewhere
Execution
Attacker template's tasks/migrations run without --trust prompt
Impact
Arbitrary command execution as the invoking user

Vulnerability AssessmentAI

Exploitation Requires that the victim has Copier's 'trust' setting configured with at least one trusted prefix (a non-default operator configuration), and that the victim invokes Copier against a template reference the attacker controls or influences which textually begins with that trusted prefix but embeds '..' dot-segments so the resolved location differs from the trusted string. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:N/UI:P, high impact to both vulnerable and subsequent systems) scores 8.8 and correctly signals that this is not a remote, drive-by bug: it is local, requires a specific attack condition (AT:P) and passive user interaction (UI:P) - namely an operator who has configured a trusted prefix and is induced to run Copier against a crafted reference. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes or influences a template reference such as 'https://trusted.example.com/../attacker/template' that lexically starts with the victim organization's configured trusted prefix. When a developer or CI job runs Copier with that trusted prefix set, the startswith check silently grants trust while the normalized fetch pulls the attacker's template, whose tasks/migrations then execute shell commands on the host without any --trust prompt. …
Remediation Vendor-released patch: 9.15.2 - upgrade Copier to 9.15.2 or later (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Copier instances running versions 9.5.0-9.15.1 and assess whether they process external or untrusted templates. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42309 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy