Skip to main content

Patool

1 CVEs product

Monthly

CVE-2026-29509 MEDIUM PATCH This Month

Path traversal in Patool's safe_extract() function allows an attacker-controlled archive to write files to arbitrary locations on the filesystem when extracted by a victim running Patool before 4.0.5 on Python before 3.12. The flaw exists because the is_within_directory() helper in patoolib/programs/py_tarfile.py uses os.path.commonprefix() for character-level string prefix matching rather than path-component-level comparison, making it trivially bypassable with crafted member paths. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-complexity exploitation conditions and complete integrity bypass make this a meaningful risk for affected deployments.

Python Path Traversal Patool
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Path traversal in Patool's safe_extract() function allows an attacker-controlled archive to write files to arbitrary locations on the filesystem when extracted by a victim running Patool before 4.0.5 on Python before 3.12. The flaw exists because the is_within_directory() helper in patoolib/programs/py_tarfile.py uses os.path.commonprefix() for character-level string prefix matching rather than path-component-level comparison, making it trivially bypassable with crafted member paths. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-complexity exploitation conditions and complete integrity bypass make this a meaningful risk for affected deployments.

Python Path Traversal Patool
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy