Medium severity5.8OSV Advisory· Published Oct 5, 2025· Updated Apr 15, 2026
CVE-2025-8917
CVE-2025-8917
Description
A vulnerability in allegroai/clearml version v2.0.1 allows for path traversal due to improper handling of symbolic and hard links in the safe_extract function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execution if critical files are overwritten.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
clearmlPyPI | < 2.0.2 | 2.0.2 |
Affected products
1Patches
164fb2bcbdbb8Handle unsafe links inside safe_extract
1 file changed · +10 −4
clearml/storage/util.py+10 −4 modified@@ -377,8 +377,14 @@ def safe_extract( numeric_owner: bool = False, ) -> None: """Tarfile member sanitization (addresses CVE-2007-4559)""" + base_dir = os.path.abspath(path) for member in tar.getmembers(): - member_path = os.path.join(path, member.name) - if not is_within_directory(path, member_path): - raise Exception("Attempted Path Traversal in Tar File") - tar.extractall(path, members, numeric_owner=numeric_owner) + member_path = os.path.abspath(os.path.join(base_dir, member.name)) + if not is_within_directory(base_dir, member_path): + raise Exception("Path traversal detected in archive member: {}".format(member.name)) + + if member.issym() or member.islnk(): + link_target = os.path.abspath(os.path.join(base_dir, member.linkname)) + if not is_within_directory(base_dir, link_target): + raise Exception("Link target escapes extraction dir: {} -> {}".format(member.name, member.linkname)) + tar.extractall(path=base_dir, members=members, numeric_owner=numeric_owner)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-579p-qf78-fqm2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-8917ghsaADVISORY
- github.com/clearml/clearml/commit/64fb2bcbdbb87a74af90dd723d5ef4a99fceeb73ghsaWEB
- huntr.com/bounties/588fcdd1-fea4-4cc2-a9f8-851701dcb576nvdWEB
- github.com/allegroai/clearml/commit/64fb2bcbdbb87a74af90dd723d5ef4a99fceeb73nvd
News mentions
0No linked articles in our index yet.