Moderate severityNVD Advisory· Published Oct 5, 2025· Updated Oct 6, 2025
Path Traversal in zenml-io/zenml
CVE-2025-8406
Description
ZenML version 0.83.1 is affected by a path traversal vulnerability in the PathMaterializer class. The load function uses is_path_within_directory to validate files during data.tar.gz extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zenmlPyPI | >= 0.81.0, < 0.84.2 | 0.84.2 |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.