dbt-common: commonprefix() doesn't protect against path traversal
Description
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dbt-commonPyPI | < 1.34.2 | 1.34.2 |
dbt-commonPyPI | >= 1.35.0, < 1.37.3 | 1.37.3 |
Affected products
4- osv-coords3 versions
< 1.10.3-r1+ 2 more
- (no CPE)range: < 1.10.3-r1
- (no CPE)range: < 1.10.4-r2
- (no CPE)range: < 1.34.2
- dbt-labs/dbt-commonv5Range: < 1.37.3
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-6vgw-5pg2-w6jpghsaADVISORY
- github.com/advisories/GHSA-w75w-9qv4-j5xjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29790ghsaADVISORY
- docs.python.org/3/library/os.path.htmlghsaWEB
- github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709ghsax_refsource_MISCWEB
- github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xjghsax_refsource_CONFIRMWEB
- github.com/pypa/pip/pull/13777ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.