Kedro Org Kedro
Monthly
Path traversal in Kedro 1.2.0 allows authenticated local users to read or overwrite files outside of versioned dataset directories by supplying a crafted version string. The flaw resides in `_get_versioned_path()` (kedro/io/core.py) and is also reachable via the `--load-versions` CLI parameter, with downstream risk of data poisoning and cross-tenant data exposure in orchestrated pipelines. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Path traversal in Kedro 1.2.0 allows authenticated local users to read or overwrite files outside of versioned dataset directories by supplying a crafted version string. The flaw resides in `_get_versioned_path()` (kedro/io/core.py) and is also reachable via the `--load-versions` CLI parameter, with downstream risk of data poisoning and cross-tenant data exposure in orchestrated pipelines. No public exploit identified at time of analysis, and the issue is not on CISA KEV.