CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1992 vulnerabilities reference this CWE, most recent first.
GHSA-M8QC-MF6P-PFQ9
Vulnerability from github – Published: 2020-03-11 20:56 – Updated: 2024-10-26 22:44python-rply before 0.7.4 insecurely creates temporary files.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rply"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-1938"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2020-03-11T20:55:50Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "python-rply before 0.7.4 insecurely creates temporary files.",
"id": "GHSA-m8qc-mf6p-pfq9",
"modified": "2024-10-26T22:44:05Z",
"published": "2020-03-11T20:56:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1938"
},
{
"type": "WEB",
"url": "https://github.com/alex/rply/issues/42"
},
{
"type": "WEB",
"url": "https://github.com/alex/rply/commit/76d268a38c627bf4aebebcd064f5b6d380eb8b20"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737627"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m8qc-mf6p-pfq9"
},
{
"type": "PACKAGE",
"url": "https://github.com/alex/rply"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/rply/PYSEC-2019-202.yaml"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2014-1938"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/02/11/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Link Following in rply"
}
GHSA-M8V2-6WWH-R4GC
Vulnerability from github – Published: 2026-03-03 23:10 – Updated: 2026-03-18 21:52Summary
In openclaw up to and including 2026.2.23 (latest npm release as of February 24, 2026), sandbox bind-source validation could be bypassed when a bind source used a symlinked parent plus a non-existent leaf path.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.23 - Patched:
>= 2026.2.24(planned next release)
Root Cause
validateBindMounts previously relied on full-path realpath only when the full source path already existed. For missing-leaf paths, parent symlink traversal was not fully canonicalized before allowed-root and blocked-path checks.
Security Impact
A source path that looked inside an allowed root could resolve outside that root (including blocked runtime paths) once the missing leaf was created, weakening sandbox bind-source boundary enforcement.
Fix
The validation path now canonicalizes through the nearest existing ancestor, then always re-checks the canonical path against both: - allowed source roots - blocked runtime paths
Verification
pnpm checkpnpm exec vitest run --config vitest.gateway.config.tspnpm test:fast- Added regression tests for symlink-parent + missing-leaf bypass patterns.
Fix Commit(s)
b5787e4abba0dcc6baf09051099f6773c1679ec1
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.24) so after npm publish the advisory can be published without further field edits.
OpenClaw thanks @tdjackey for reporting.
Publication Update (2026-02-25)
openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.23"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27523"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T23:10:01Z",
"nvd_published_at": "2026-03-18T02:16:23Z",
"severity": "HIGH"
},
"details": "### Summary\nIn `openclaw` up to and including **2026.2.23** (latest npm release as of **February 24, 2026**), sandbox bind-source validation could be bypassed when a bind source used a symlinked parent plus a non-existent leaf path.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.23`\n- Patched: `\u003e= 2026.2.24` (planned next release)\n\n### Root Cause\n`validateBindMounts` previously relied on full-path realpath only when the full source path already existed. For missing-leaf paths, parent symlink traversal was not fully canonicalized before allowed-root and blocked-path checks.\n\n### Security Impact\nA source path that looked inside an allowed root could resolve outside that root (including blocked runtime paths) once the missing leaf was created, weakening sandbox bind-source boundary enforcement.\n\n### Fix\nThe validation path now canonicalizes through the nearest existing ancestor, then always re-checks the canonical path against both:\n- allowed source roots\n- blocked runtime paths\n\n### Verification\n- `pnpm check`\n- `pnpm exec vitest run --config vitest.gateway.config.ts`\n- `pnpm test:fast`\n- Added regression tests for symlink-parent + missing-leaf bypass patterns.\n\n### Fix Commit(s)\n- `b5787e4abba0dcc6baf09051099f6773c1679ec1`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.24`) so after npm publish the advisory can be published without further field edits.\n\nOpenClaw thanks @tdjackey for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `\u003e= 2026.2.24` as patched.",
"id": "GHSA-m8v2-6wwh-r4gc",
"modified": "2026-03-18T21:52:35Z",
"published": "2026-03-03T23:10:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m8v2-6wwh-r4gc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27523"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/b5787e4abba0dcc6baf09051099f6773c1679ec1"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-sandbox-bind-validation-bypass-via-symlink-parent-missing-leaf-paths"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw\u0027s sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths"
}
GHSA-M923-RJ4W-WVH7
Vulnerability from github – Published: 2022-05-17 05:03 – Updated: 2022-05-17 05:03Red Hat Storage 2.0 allows local users to overwrite arbitrary files via a symlink attack on the (1) e, (2) local-bricks.list, (3) bricks.err, or (4) limits.conf files in /tmp.
{
"affected": [],
"aliases": [
"CVE-2013-4157"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-10-04T17:55:00Z",
"severity": "LOW"
},
"details": "Red Hat Storage 2.0 allows local users to overwrite arbitrary files via a symlink attack on the (1) e, (2) local-bricks.list, (3) bricks.err, or (4) limits.conf files in /tmp.",
"id": "GHSA-m923-rj4w-wvh7",
"modified": "2022-05-17T05:03:07Z",
"published": "2022-05-17T05:03:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4157"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2013:1205"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2013-4157"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=986516"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1205.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M9X3-4XC7-WXXP
Vulnerability from github – Published: 2022-04-22 00:24 – Updated: 2024-04-03 23:05foomatic-rip filter, all versions, used insecurely creates temporary files for storage of PostScript data by rendering the data when the debug mode was enabled. This flaw may be exploited by a local attacker to conduct symlink attacks by overwriting arbitrary files accessible with the privileges of the user running the foomatic-rip universal print filter.
{
"affected": [],
"aliases": [
"CVE-2011-2923"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-19T21:15:00Z",
"severity": "MODERATE"
},
"details": "foomatic-rip filter, all versions, used insecurely creates temporary files for storage of PostScript data by rendering the data when the debug mode was enabled. This flaw may be exploited by a local attacker to conduct symlink attacks by overwriting arbitrary files accessible with the privileges of the user running the foomatic-rip universal print filter.",
"id": "GHSA-m9x3-4xc7-wxxp",
"modified": "2024-04-03T23:05:09Z",
"published": "2022-04-22T00:24:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2923"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2011-2923"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2923"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2011-2923"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2011-2923"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M9XR-MRX5-456X
Vulnerability from github – Published: 2022-12-24 00:30 – Updated: 2025-04-15 15:30A link following vulnerability in the Damage Cleanup Engine component of Trend Micro Apex One and Trend Micro Apex One as a Service could allow a local attacker to escalate privileges by creating a symbolic link and abusing the service to delete a file. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-45798"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-24T00:15:00Z",
"severity": "HIGH"
},
"details": "A link following vulnerability in the Damage Cleanup Engine component of Trend Micro Apex One and Trend Micro Apex One as a Service could allow a local attacker to escalate privileges by creating a symbolic link and abusing the service to delete a file. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-m9xr-mrx5-456x",
"modified": "2025-04-15T15:30:43Z",
"published": "2022-12-24T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45798"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000291830"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1665"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MC76-5925-C5P6
Vulnerability from github – Published: 2024-10-01 21:31 – Updated: 2024-12-11 06:30A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/containers/common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.60.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-9341"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-01T22:31:13Z",
"nvd_published_at": "2024-10-01T19:15:09Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.",
"id": "GHSA-mc76-5925-c5p6",
"modified": "2024-12-11T06:30:24Z",
"published": "2024-10-01T21:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9341"
},
{
"type": "WEB",
"url": "https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f"
},
{
"type": "WEB",
"url": "https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L349"
},
{
"type": "WEB",
"url": "https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L169"
},
{
"type": "PACKAGE",
"url": "https://github.com/containers/common"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315691"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-9341"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:9459"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:9454"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8846"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8694"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8690"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8428"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8263"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8238"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8112"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8039"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:7925"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:10818"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:10147"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Link Following in github.com/containers/common"
}
GHSA-MCFX-4VC6-QGXV
Vulnerability from github – Published: 2026-05-07 16:39 – Updated: 2026-06-08 23:20Summary
BentoML's bentoml build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact.
If a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a symlink such as loot.txt -> /tmp/outside-marker.txt or a link to a more sensitive local file. When bentoml build runs, BentoML dereferences the symlink and packages the target file contents into the Bento. The leaked file can then propagate further through export, push, or containerization workflows.
Details
The vulnerable code walks files under the build context and copies each matched entry into the Bento source directory:
for root, _, files in os.walk(ctx_path):
for f in files:
dir_path = os.path.relpath(root, ctx_path)
path = os.path.join(dir_path, f).replace(os.sep, "/")
if specs.includes(path):
src_file = ctx_path.joinpath(path)
dst_file = target_fs.joinpath(dest_path)
shutil.copy(src_file, dst_file)
There is no validation that the resolved path of src_file remains inside ctx_path before shutil.copy dereferences the source path. As a result, a repository-controlled symlink can cross the trust boundary from attacker-controlled repository content to developer/CI host filesystem during the build process.
This is a build-time path traversal / symlink traversal issue in the packaging feature, not a runtime API issue. The resulting Bento may later be exported, pushed to remote storage, or converted into a container image, which amplifies the leakage impact.
PoC
The issue was verified in WSL against BentoML 1.4.38. The following script reproduces the vulnerability by using a harmless marker file outside the build directory.
mkdir -p /tmp/bento-symlink-poc
cd /tmp/bento-symlink-poc
printf 'BENTOML_SYMLINK_POC_123456\n' > /tmp/outside-marker.txt
cat > service.py <<'EOF'
import bentoml
@bentoml.service
class Demo:
@bentoml.api
def ping(self, x: str) -> str:
return x
EOF
cat > bentofile.yaml <<'EOF'
service: "service:Demo"
include:
- "service.py"
- "loot.txt"
EOF
ln -s /tmp/outside-marker.txt loot.txt
bentoml build --output tag
bentoml export demo:7pilrpjtlomelwct /tmp/poc.zip
mkdir -p /tmp/poc-unzip
unzip -o /tmp/poc.zip -d /tmp/poc-unzip
find /tmp/poc-unzip -name loot.txt -print
cat /tmp/poc-unzip/**/src/loot.txt 2>/dev/null || \
find /tmp/poc-unzip -path '*/src/loot.txt' -exec cat {} \;
- The script creates
/tmp/outside-marker.txtoutside the build context as a stand-in for a sensitive local file. - It creates a minimal BentoML service and explicitly includes
loot.txtinbentofile.yaml. -
It creates
loot.txtas a symlink to the external marker file. -
It runs
bentoml build, exports the generated Bento, unzips it, and reads the packagedsrc/loot.txt. - Successful exploitation is confirmed when the packaged file contains
BENTOML_SYMLINK_POC_123456, proving that BentoML copied the external file contents rather than keeping only the symlink.
Impact
An attacker who can cause a developer, release engineer, or CI system to run bentoml build on an attacker-controlled repository can exfiltrate local files from the build host into the Bento artifact.
This can expose secrets such as cloud credentials, SSH keys, API tokens, environment files, or other sensitive local configuration. Because Bento artifacts are commonly exported, uploaded, stored, or containerized after build, the leaked file contents can spread beyond the original build machine.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.38"
},
"package": {
"ecosystem": "PyPI",
"name": "bentoml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.39"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40610"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T16:39:47Z",
"nvd_published_at": "2026-05-22T20:16:34Z",
"severity": "MODERATE"
},
"details": "### Summary\nBentoML\u0027s `bentoml build` packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact.\n\nIf a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a symlink such as `loot.txt -\u003e /tmp/outside-marker.txt` or a link to a more sensitive local file. When `bentoml build` runs, BentoML dereferences the symlink and packages the target file contents into the Bento. The leaked file can then propagate further through export, push, or containerization workflows.\n\n### Details\nThe vulnerable code walks files under the build context and copies each matched entry into the Bento source directory:\n\n```python\nfor root, _, files in os.walk(ctx_path):\n for f in files:\n dir_path = os.path.relpath(root, ctx_path)\n path = os.path.join(dir_path, f).replace(os.sep, \"/\")\n if specs.includes(path):\n src_file = ctx_path.joinpath(path)\n dst_file = target_fs.joinpath(dest_path)\n shutil.copy(src_file, dst_file)\n```\n\nThere is no validation that the resolved path of `src_file` remains inside `ctx_path` before `shutil.copy` dereferences the source path. As a result, a repository-controlled symlink can cross the trust boundary from `attacker-controlled repository content` to `developer/CI host filesystem` during the build process.\n\nThis is a build-time path traversal / symlink traversal issue in the packaging feature, not a runtime API issue. The resulting Bento may later be exported, pushed to remote storage, or converted into a container image, which amplifies the leakage impact.\n\n### PoC\nThe issue was verified in WSL against BentoML 1.4.38. The following script reproduces the vulnerability by using a harmless marker file outside the build directory.\n\n```bash\nmkdir -p /tmp/bento-symlink-poc\ncd /tmp/bento-symlink-poc\n\nprintf \u0027BENTOML_SYMLINK_POC_123456\\n\u0027 \u003e /tmp/outside-marker.txt\n\ncat \u003e service.py \u003c\u003c\u0027EOF\u0027\nimport bentoml\n\n@bentoml.service\nclass Demo:\n @bentoml.api\n def ping(self, x: str) -\u003e str:\n return x\nEOF\n\ncat \u003e bentofile.yaml \u003c\u003c\u0027EOF\u0027\nservice: \"service:Demo\"\ninclude:\n - \"service.py\"\n - \"loot.txt\"\nEOF\n\nln -s /tmp/outside-marker.txt loot.txt\n\nbentoml build --output tag\nbentoml export demo:7pilrpjtlomelwct /tmp/poc.zip\n\nmkdir -p /tmp/poc-unzip\nunzip -o /tmp/poc.zip -d /tmp/poc-unzip\nfind /tmp/poc-unzip -name loot.txt -print\ncat /tmp/poc-unzip/**/src/loot.txt 2\u003e/dev/null || \\\nfind /tmp/poc-unzip -path \u0027*/src/loot.txt\u0027 -exec cat {} \\;\n```\n\n- The script creates `/tmp/outside-marker.txt` outside the build context as a stand-in for a sensitive local file.\n- It creates a minimal BentoML service and explicitly includes `loot.txt` in `bentofile.yaml`.\n- It creates `loot.txt` as a symlink to the external marker file.\n\u003cimg width=\"1531\" height=\"648\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1312dcf0-74b0-4fb6-a05d-b68644470d82\" /\u003e\n\n- It runs `bentoml build`, exports the generated Bento, unzips it, and reads the packaged `src/loot.txt`.\n- Successful exploitation is confirmed when the packaged file contains `BENTOML_SYMLINK_POC_123456`, proving that BentoML copied the external file contents rather than keeping only the symlink.\n\u003cimg width=\"1315\" height=\"121\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6ed34f51-9b68-4fa9-8a42-011deb84d54e\" /\u003e\n\n\n\u003cimg width=\"1697\" height=\"760\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9b8a8ae5-4f06-46b4-9e4a-dee25cc5d203\" /\u003e\n\n\n### Impact\nAn attacker who can cause a developer, release engineer, or CI system to run `bentoml build` on an attacker-controlled repository can exfiltrate local files from the build host into the Bento artifact.\n\nThis can expose secrets such as cloud credentials, SSH keys, API tokens, environment files, or other sensitive local configuration. Because Bento artifacts are commonly exported, uploaded, stored, or containerized after build, the leaked file contents can spread beyond the original build machine.",
"id": "GHSA-mcfx-4vc6-qgxv",
"modified": "2026-06-08T23:20:46Z",
"published": "2026-05-07T16:39:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-mcfx-4vc6-qgxv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40610"
},
{
"type": "WEB",
"url": "https://github.com/bentoml/BentoML/commit/5fb7cd41f92e2a56b45391284cf15b9ac9963a1f"
},
{
"type": "PACKAGE",
"url": "https://github.com/bentoml/BentoML"
},
{
"type": "WEB",
"url": "https://github.com/bentoml/BentoML/releases/tag/v1.4.39"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context"
}
GHSA-MCHM-7MQX-7299
Vulnerability from github – Published: 2025-01-16 00:31 – Updated: 2026-04-24 18:30SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.
{
"affected": [],
"aliases": [
"CVE-2024-57728"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-15T23:15:09Z",
"severity": "HIGH"
},
"details": "SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.",
"id": "GHSA-mchm-7mqx-7299",
"modified": "2026-04-24T18:30:35Z",
"published": "2025-01-16T00:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57728"
},
{
"type": "WEB",
"url": "https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-57728"
},
{
"type": "WEB",
"url": "https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software"
},
{
"type": "WEB",
"url": "https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations"
},
{
"type": "WEB",
"url": "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-dragonforce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MF2W-FPCR-P3W9
Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2022-05-13 01:28The feh_unique_filename function in utils.c in feh 1.11.2 and earlier might allow local users to create arbitrary files via a symlink attack on a /tmp/feh_ temporary file, a different vulnerability than CVE-2011-0702.
{
"affected": [],
"aliases": [
"CVE-2011-1031"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-02-14T22:00:00Z",
"severity": "LOW"
},
"details": "The feh_unique_filename function in utils.c in feh 1.11.2 and earlier might allow local users to create arbitrary files via a symlink attack on a /tmp/feh_ temporary file, a different vulnerability than CVE-2011-0702.",
"id": "GHSA-mf2w-fpcr-p3w9",
"modified": "2022-05-13T01:28:02Z",
"published": "2022-05-13T01:28:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1031"
},
{
"type": "WEB",
"url": "https://github.com/derf/feh/issues/#issue/32"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=676389"
},
{
"type": "WEB",
"url": "https://derf.homelinux.org/git/feh/commit/?id=23421a86cc826dd30f3dc4f62057fafb04b3ac40"
},
{
"type": "WEB",
"url": "https://derf.homelinux.org/git/feh/commit/?id=29ab0855f044ef2fe9c295b72abefcb37f0861a5"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/43221"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MF9R-R6PC-8FC6
Vulnerability from github – Published: 2026-07-05 06:30 – Updated: 2026-07-05 06:30A weakness has been identified in zcaceres markdownify-mcp up to 1.1.0. The affected element is the function assertPathAllowed of the file src/Markdownify.ts. Executing a manipulation can lead to symlink following. The attack can only be executed locally. The pull request to fix this issue awaits acceptance.
{
"affected": [],
"aliases": [
"CVE-2026-14699"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-05T05:16:27Z",
"severity": "MODERATE"
},
"details": "A weakness has been identified in zcaceres markdownify-mcp up to 1.1.0. The affected element is the function assertPathAllowed of the file src/Markdownify.ts. Executing a manipulation can lead to symlink following. The attack can only be executed locally. The pull request to fix this issue awaits acceptance.",
"id": "GHSA-mf9r-r6pc-8fc6",
"modified": "2026-07-05T06:30:26Z",
"published": "2026-07-05T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14699"
},
{
"type": "WEB",
"url": "https://github.com/zcaceres/markdownify-mcp/issues/108"
},
{
"type": "WEB",
"url": "https://github.com/zcaceres/markdownify-mcp/pull/109"
},
{
"type": "WEB",
"url": "https://github.com/zcaceres/markdownify-mcp"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-14699"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/846864"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376295"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376295/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.