DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-76HW-P97H-883F: GHSA-76hw-p97h-883f: Arbitrary File Write via Path Traversal in gdown Archive Extraction

#security #cve #cybersecurity #ghsa

GHSA-76hw-p97h-883f: Arbitrary File Write via Path Traversal in gdown Archive Extraction

Vulnerability ID: GHSA-76HW-P97H-883F
CVSS Score: 6.5
Published: 2026-04-14

The Python package gdown prior to version 5.2.2 is vulnerable to an arbitrary file write flaw via a path traversal vulnerability in the gdown.extractall function. When extracting maliciously crafted ZIP or TAR archives containing relative path components (such as ../), the extraction process writes files outside the intended destination directory. Exploiting this vulnerability requires user interaction to process the crafted archive, but successful exploitation yields arbitrary file overwrite capabilities, which an attacker can leverage for remote code execution or persistence.

TL;DR

A path traversal vulnerability in gdown < 5.2.2 allows attackers to overwrite arbitrary files when a victim extracts a maliciously crafted archive containing relative path components (../), potentially leading to remote code execution.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Path Traversal (CWE-22)
  • Attack Vector: Network
  • CVSS v3.1 Score: 6.5 (Medium)
  • Privileges Required: None
  • User Interaction: Required
  • Exploit Maturity: Proof of Concept Available
  • Impact: Arbitrary File Overwrite / Potential RCE

Affected Systems

  • gdown Python Package
  • Systems executing gdown.extractall() on untrusted archives
  • gdown: < 5.2.2 (Fixed in: 5.2.2)

Exploit Details

Mitigation Strategies

  • Upgrade gdown to version 5.2.2 or later.
  • Isolate automated extraction routines within strictly confined filesystems or minimal privilege Docker containers.
  • Utilize Python 3.12+ environments where the tarfile module sets filter='data' by default, providing secondary defense-in-depth.

Remediation Steps:

  1. Identify all projects and environments utilizing gdown via dependency scanners.
  2. Update the dependency definitions (e.g., requirements.txt, setup.py, pyproject.toml) to require gdown>=5.2.2.
  3. Rebuild affected container images and virtual environments.
  4. Audit automated pipelines downloading archives from external sources to ensure extraction executes in a restricted, unprivileged context.

References

Read the full report for GHSA-76HW-P97H-883F on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)