DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23968: Symlink Sabotage: Exfiltrating Secrets via Copier Templates

#security #cve #cybersecurity

Symlink Sabotage: Exfiltrating Secrets via Copier Templates

Vulnerability ID: CVE-2026-23968
CVSS Score: 6.8
Published: 2026-01-21

A high-severity path traversal vulnerability in the popular Python templating tool 'Copier' allowed malicious templates to access and replicate sensitive files from the victim's host machine via symbolic links.

TL;DR

Prior to version 9.11.2, Copier failed to validate the destination of symbolic links within templates. If a user generated a project from a malicious template, the engine would blindly follow symlinks pointing outside the template directory (e.g., to /etc/passwd or ~/.ssh/id_rsa), read their contents, and write them into the new project. If the user then pushed this project to a public repo, their secrets were exposed.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-61 (Symlink Following)
  • CVSS v4.0: 6.8 (Medium)
  • Attack Vector: Local (User-Assisted)
  • Privileges Required: None
  • Impact: High Confidentiality Loss
  • Exploit Status: Proof of Concept Available

Affected Systems

  • Developer Workstations
  • CI/CD Pipelines using Copier
  • Automated Scaffolding Services
  • copier: < 9.11.2 (Fixed in: 9.11.2)

Code Analysis

Commit: b3a7b37

Fix: verify src_abspath is within template local abspath

if (src_abspath.is_symlink() and not self.template.preserve_symlinks and not src_abspath.resolve().is_relative_to(self.template.local_abspath))
Enter fullscreen mode Exit fullscreen mode

Commit: 41cb45c

Fix: ensure destination paths are safe

Prevent overwriting files outside the destination via symlinks
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Local PoC: Create a symlink pointing to relative parent directories (../../) inside a template and run copier.

Mitigation Strategies

  • Upgrade Copier to 9.11.2+
  • Run template generation in sandboxed environments (Docker)
  • Set _preserve_symlinks: true in templates to prevent dereferencing

Remediation Steps:

  1. Check your current Copier version: copier --version
  2. If version < 9.11.2, update via pip/pipx: pipx upgrade copier
  3. Audit previously generated projects for sensitive files that shouldn't be there.

References

Read the full report for CVE-2026-23968 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)