DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-W75W-9QV4-J5XJ: GHSA-W75W-9QV4-J5XJ: Path Traversal in dbt-common Archive Extraction

#security #cve #cybersecurity #ghsa

GHSA-W75W-9QV4-J5XJ: Path Traversal in dbt-common Archive Extraction

Vulnerability ID: GHSA-W75W-9QV4-J5XJ
CVSS Score: 4.0
Published: 2026-03-05

A path traversal vulnerability exists in the dbt-common Python package due to insecure usage of os.path.commonprefix during archive extraction. This flaw allows malicious tarballs to bypass directory confinement checks and write files to sibling directories of the intended destination. The vulnerability affects versions prior to 1.34.2 and versions between 1.35.0 and 1.37.3. It arises from a logic error where string prefix matching is used instead of path component comparison, effectively neutralizing the sandbox check intended to prevent arbitrary file writes.

TL;DR

dbt-common incorrectly uses string prefix matching to validate file paths during tarball extraction. Attackers can bypass this check using crafted paths (e.g., /target_evil vs /target) to write files outside the intended directory. Fixed in versions 1.34.2 and 1.37.3.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • CWE Name: Improper Limitation of a Pathname to a Restricted Directory
  • CVSS Score: 4.0 (Medium)
  • CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
  • Exploit Maturity: Proof of Concept (PoC)
  • Patch Status: Available (1.34.2, 1.37.3)

Affected Systems

  • dbt-common Python package
  • dbt-core (via dependency)
  • Systems executing dbt deps or dbt package install from untrusted sources
  • dbt-common: < 1.34.2 (Fixed in: 1.34.2)
  • dbt-common: >= 1.35.0, < 1.37.3 (Fixed in: 1.37.3)

Code Analysis

Commit: e547954

Fix path traversal in safe_extract by using commonpath

-        prefix = os.path.commonprefix([abs_directory, abs_target])
-        return prefix == abs_directory
+        try:
+            prefix = os.path.commonpath([abs_directory, abs_target])
+            return prefix == abs_directory
+        except ValueError:
+            return False
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub (Unit Test): Reproduction test case 'test_untar_package_sibling_path_traversal' demonstrating the bypass.

Mitigation Strategies

  • Upgrade dbt-common to version 1.34.2 (for 1.30.x - 1.34.x users) or 1.37.3 (for 1.35.x+ users).
  • Verify the integrity and source of all dbt packages before installation.
  • Run dbt operations in ephemeral, sandboxed environments (e.g., containers) to limit filesystem write impact.

Remediation Steps:

  1. Identify the currently installed version: pip show dbt-common.
  2. Update the package using pip: pip install --upgrade dbt-common.
  3. If using dbt-core, ensure it is updated to version 1.11.7 or 1.10.20, which pull in the fixed common library.
  4. Verify the fix by checking the version: dbt --version.

References

Read the full report for GHSA-W75W-9QV4-J5XJ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)