CVE-2026-42795 (GCVE-0-2026-42795)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:41 – Updated: 2026-06-02 19:14
VLAI
Title
Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root
Summary
Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball.
The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package.
An attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.
This issue affects Gleam from 0.10.0-rc1 until 1.17.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gleam-lang/gleam/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-42795.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-42795 | related |
| https://github.com/gleam-lang/gleam/commit/6435a5… | patch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Gleam | Gleam |
Affected:
0.10.0-rc1 , < 1.17.0
(semver)
cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
0.10.0-rc1 , < 1.17.0
(semver)
Affected: c82a2d83bd0c06cafdc196820deb3f89a9b3ff7c , < 6435a5528b9ae0449e2f32be579641ec485f6866 (git) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
v0.10.0-rc1-elixir , < v1.17.0-elixir
(other)
Affected: v0.10.0-rc1-erlang , < v1.17.0-erlang (other) Affected: v0.10.0-rc1-node , < v1.17.0-node (other) Affected: v0.10.0-rc1-node-slim , < v1.17.0-node-slim (other) Affected: v0.10.0-rc1-elixir-slim , < v1.17.0-elixir-slim (other) Affected: v0.10.0-rc1-erlang-slim , < v1.17.0-erlang-slim (other) Affected: v0.10.0-rc1-erlang-alpine , < v1.17.0-erlang-alpine (other) Affected: v0.10.0-rc1-elixir-alpine , < v1.17.0-elixir-alpine (other) Affected: v0.10.0-rc1-node-alpine , < v1.17.0-node-alpine (other) Affected: v0.10.0-rc1-scratch , < v1.17.0-scratch (other) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42795",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:04:06.195456Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:04:35.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam",
"packageURL": "pkg:sid/gleam.run/gleam",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/fs.rs",
"compiler-cli/src/publish.rs"
],
"programRoutines": [
{
"name": "compiler_cli::fs::gleam_files"
},
{
"name": "compiler_cli::fs::native_files"
},
{
"name": "compiler_cli::fs::private_files"
},
{
"name": "compiler_cli::publish::project_files"
},
{
"name": "compiler_cli::publish::add_path_to_tar"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "0.10.0-rc1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:github/gleam-lang/gleam",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/fs.rs",
"compiler-cli/src/publish.rs"
],
"programRoutines": [
{
"name": "compiler_cli::fs::gleam_files"
},
{
"name": "compiler_cli::fs::native_files"
},
{
"name": "compiler_cli::fs::private_files"
},
{
"name": "compiler_cli::publish::project_files"
},
{
"name": "compiler_cli::publish::add_path_to_tar"
}
],
"repo": "https://github.com/gleam-lang/gleam",
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "0.10.0-rc1",
"versionType": "semver"
},
{
"lessThan": "6435a5528b9ae0449e2f32be579641ec485f6866",
"status": "affected",
"version": "c82a2d83bd0c06cafdc196820deb3f89a9b3ff7c",
"versionType": "git"
}
]
},
{
"collectionURL": "https://ghcr.io",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:oci/gleam?repository_url=ghcr.io/gleam-lang",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/fs.rs",
"compiler-cli/src/publish.rs"
],
"programRoutines": [
{
"name": "compiler_cli::fs::gleam_files"
},
{
"name": "compiler_cli::fs::native_files"
},
{
"name": "compiler_cli::fs::private_files"
},
{
"name": "compiler_cli::publish::project_files"
},
{
"name": "compiler_cli::publish::add_path_to_tar"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "v1.17.0-elixir",
"status": "affected",
"version": "v0.10.0-rc1-elixir",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang",
"status": "affected",
"version": "v0.10.0-rc1-erlang",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node",
"status": "affected",
"version": "v0.10.0-rc1-node",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-slim",
"status": "affected",
"version": "v0.10.0-rc1-node-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-slim",
"status": "affected",
"version": "v0.10.0-rc1-elixir-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-slim",
"status": "affected",
"version": "v0.10.0-rc1-erlang-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-alpine",
"status": "affected",
"version": "v0.10.0-rc1-erlang-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-alpine",
"status": "affected",
"version": "v0.10.0-rc1-elixir-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-alpine",
"status": "affected",
"version": "v0.10.0-rc1-node-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-scratch",
"status": "affected",
"version": "v0.10.0-rc1-scratch",
"versionType": "other"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.0",
"versionStartIncluding": "0.10.0-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aly (spect3r1)"
},
{
"lang": "en",
"type": "finder",
"value": "Abdelrahman Ahmed Aboelkasem (0x2face)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Louis Pilfold"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSymlink following vulnerability in Gleam\u0027s Hex package export allows files outside the project root to be embedded in the generated package tarball.\u003c/p\u003e\u003cp\u003eThe file collection helpers (\u003ctt\u003egleam_files\u003c/tt\u003e, \u003ctt\u003enative_files\u003c/tt\u003e, \u003ctt\u003eprivate_files\u003c/tt\u003e) in \u003ctt\u003ecompiler-cli/src/fs.rs\u003c/tt\u003e use \u003ctt\u003efollow_links(true)\u003c/tt\u003e when walking publishable directories such as \u003ctt\u003esrc/\u003c/tt\u003e and \u003ctt\u003epriv/\u003c/tt\u003e. The collected paths are added to the package archive via \u003ctt\u003eadd_path_to_tar\u003c/tt\u003e in \u003ctt\u003ecompiler-cli/src/publish.rs\u003c/tt\u003e without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e or \u003ctt\u003egleam publish\u003c/tt\u003e to embed the contents of the symlink target into the generated Hex package.\u003c/p\u003e\u003cp\u003eAn attacker with write access to the project repository can place a symlink in \u003ctt\u003esrc/\u003c/tt\u003e or \u003ctt\u003epriv/\u003c/tt\u003e pointing to an arbitrary file. When a maintainer or CI pipeline runs \u003ctt\u003egleam publish\u003c/tt\u003e or \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.\u003c/p\u003e\u003cp\u003eThis issue affects Gleam from 0.10.0-rc1 until 1.17.0.\u003c/p\u003e"
}
],
"value": "Symlink following vulnerability in Gleam\u0027s Hex package export allows files outside the project root to be embedded in the generated package tarball.\n\nThe file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package.\n\nAn attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.\n\nThis issue affects Gleam from 0.10.0-rc1 until 1.17.0."
}
],
"impacts": [
{
"capecId": "CAPEC-132",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-132 Symlink Attack"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:25.176Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42795.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42795"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/6435a5528b9ae0449e2f32be579641ec485f6866"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eAvoid running \u003ctt\u003egleam publish\u003c/tt\u003e or \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e on untrusted projects\u003c/li\u003e\u003cli\u003eReview the contents of \u003ctt\u003esrc/\u003c/tt\u003e and \u003ctt\u003epriv/\u003c/tt\u003e for unexpected symlinks before publishing\u003c/li\u003e\u003cli\u003eRun publishing commands in a restricted or isolated environment (e.g. containers)\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Avoid running gleam publish or gleam export hex-tarball on untrusted projects\n* Review the contents of src/ and priv/ for unexpected symlinks before publishing\n* Run publishing commands in a restricted or isolated environment (e.g. containers)"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42795",
"datePublished": "2026-06-02T13:41:39.527Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-06-02T19:14:25.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-42795",
"date": "2026-06-07",
"epss": "0.00014",
"percentile": "0.0259"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42795\",\"sourceIdentifier\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"published\":\"2026-06-02T14:16:53.883\",\"lastModified\":\"2026-06-02T16:16:40.670\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Symlink following vulnerability in Gleam\u0027s Hex package export allows files outside the project root to be embedded in the generated package tarball.\\n\\nThe file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package.\\n\\nAn attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.\\n\\nThis issue affects Gleam from 0.10.0-rc1 until 1.17.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"references\":[{\"url\":\"https://cna.erlef.org/cves/CVE-2026-42795.html\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/gleam-lang/gleam/commit/6435a5528b9ae0449e2f32be579641ec485f6866\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://osv.dev/vulnerability/EEF-CVE-2026-42795\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42795\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-02T15:04:06.195456Z\"}}}], \"references\": [{\"url\": \"https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-02T15:03:56.544Z\"}}], \"cna\": {\"title\": \"Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Aly (spect3r1)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Abdelrahman Ahmed Aboelkasem (0x2face)\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Louis Pilfold\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Jonatan M\\u00e4nnchen / EEF\"}], \"impacts\": [{\"capecId\": \"CAPEC-132\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-132 Symlink Attack\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*\"], \"vendor\": \"Gleam\", \"modules\": [\"compiler-cli\"], \"product\": \"Gleam\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.10.0-rc1\", \"lessThan\": \"1.17.0\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:sid/gleam.run/gleam\", \"packageName\": \"gleam\", \"programFiles\": [\"compiler-cli/src/fs.rs\", \"compiler-cli/src/publish.rs\"], \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"compiler_cli::fs::gleam_files\"}, {\"name\": \"compiler_cli::fs::native_files\"}, {\"name\": \"compiler_cli::fs::private_files\"}, {\"name\": \"compiler_cli::publish::project_files\"}, {\"name\": \"compiler_cli::publish::add_path_to_tar\"}]}, {\"cpes\": [\"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/gleam-lang/gleam\", \"vendor\": \"Gleam\", \"modules\": [\"compiler-cli\"], \"product\": \"Gleam\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.10.0-rc1\", \"lessThan\": \"1.17.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"c82a2d83bd0c06cafdc196820deb3f89a9b3ff7c\", \"lessThan\": \"6435a5528b9ae0449e2f32be579641ec485f6866\", \"versionType\": \"git\"}], \"packageURL\": \"pkg:github/gleam-lang/gleam\", \"packageName\": \"gleam-lang/gleam\", \"programFiles\": [\"compiler-cli/src/fs.rs\", \"compiler-cli/src/publish.rs\"], \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"compiler_cli::fs::gleam_files\"}, {\"name\": \"compiler_cli::fs::native_files\"}, {\"name\": \"compiler_cli::fs::private_files\"}, {\"name\": \"compiler_cli::publish::project_files\"}, {\"name\": \"compiler_cli::publish::add_path_to_tar\"}]}, {\"cpes\": [\"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*\"], \"vendor\": \"Gleam\", \"modules\": [\"compiler-cli\"], \"product\": \"Gleam\", \"versions\": [{\"status\": \"affected\", \"version\": \"v0.10.0-rc1-elixir\", \"lessThan\": \"v1.17.0-elixir\", \"versionType\": \"other\"}, {\"status\": \"affected\", \"version\": \"v0.10.0-rc1-erlang\", \"lessThan\": \"v1.17.0-erlang\", \"versionType\": \"other\"}, {\"status\": \"affected\", \"version\": \"v0.10.0-rc1-node\", \"lessThan\": \"v1.17.0-node\", \"versionType\": \"other\"}, {\"status\": \"affected\", \"version\": \"v0.10.0-rc1-node-slim\", \"lessThan\": \"v1.17.0-node-slim\", \"versionType\": \"other\"}, {\"status\": \"affected\", \"version\": \"v0.10.0-rc1-elixir-slim\", \"lessThan\": \"v1.17.0-elixir-slim\", \"versionType\": \"other\"}, {\"status\": \"affected\", \"version\": \"v0.10.0-rc1-erlang-slim\", \"lessThan\": \"v1.17.0-erlang-slim\", \"versionType\": \"other\"}, {\"status\": \"affected\", \"version\": \"v0.10.0-rc1-erlang-alpine\", \"lessThan\": \"v1.17.0-erlang-alpine\", \"versionType\": \"other\"}, {\"status\": \"affected\", \"version\": \"v0.10.0-rc1-elixir-alpine\", \"lessThan\": \"v1.17.0-elixir-alpine\", \"versionType\": \"other\"}, {\"status\": \"affected\", \"version\": \"v0.10.0-rc1-node-alpine\", \"lessThan\": \"v1.17.0-node-alpine\", \"versionType\": \"other\"}, {\"status\": \"affected\", \"version\": \"v0.10.0-rc1-scratch\", \"lessThan\": \"v1.17.0-scratch\", \"versionType\": \"other\"}], \"packageURL\": \"pkg:oci/gleam?repository_url=ghcr.io/gleam-lang\", \"packageName\": \"gleam-lang/gleam\", \"programFiles\": [\"compiler-cli/src/fs.rs\", \"compiler-cli/src/publish.rs\"], \"collectionURL\": \"https://ghcr.io\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"compiler_cli::fs::gleam_files\"}, {\"name\": \"compiler_cli::fs::native_files\"}, {\"name\": \"compiler_cli::fs::private_files\"}, {\"name\": \"compiler_cli::publish::project_files\"}, {\"name\": \"compiler_cli::publish::add_path_to_tar\"}]}], \"references\": [{\"url\": \"https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc\", \"tags\": [\"vendor-advisory\", \"related\"]}, {\"url\": \"https://cna.erlef.org/cves/CVE-2026-42795.html\", \"tags\": [\"related\"]}, {\"url\": \"https://osv.dev/vulnerability/EEF-CVE-2026-42795\", \"tags\": [\"related\"]}, {\"url\": \"https://github.com/gleam-lang/gleam/commit/6435a5528b9ae0449e2f32be579641ec485f6866\", \"tags\": [\"patch\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"* Avoid running gleam publish or gleam export hex-tarball on untrusted projects\\n* Review the contents of src/ and priv/ for unexpected symlinks before publishing\\n* Run publishing commands in a restricted or isolated environment (e.g. containers)\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cul\u003e\u003cli\u003eAvoid running \u003ctt\u003egleam publish\u003c/tt\u003e or \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e on untrusted projects\u003c/li\u003e\u003cli\u003eReview the contents of \u003ctt\u003esrc/\u003c/tt\u003e and \u003ctt\u003epriv/\u003c/tt\u003e for unexpected symlinks before publishing\u003c/li\u003e\u003cli\u003eRun publishing commands in a restricted or isolated environment (e.g. containers)\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Symlink following vulnerability in Gleam\u0027s Hex package export allows files outside the project root to be embedded in the generated package tarball.\\n\\nThe file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package.\\n\\nAn attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.\\n\\nThis issue affects Gleam from 0.10.0-rc1 until 1.17.0.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eSymlink following vulnerability in Gleam\u0027s Hex package export allows files outside the project root to be embedded in the generated package tarball.\u003c/p\u003e\u003cp\u003eThe file collection helpers (\u003ctt\u003egleam_files\u003c/tt\u003e, \u003ctt\u003enative_files\u003c/tt\u003e, \u003ctt\u003eprivate_files\u003c/tt\u003e) in \u003ctt\u003ecompiler-cli/src/fs.rs\u003c/tt\u003e use \u003ctt\u003efollow_links(true)\u003c/tt\u003e when walking publishable directories such as \u003ctt\u003esrc/\u003c/tt\u003e and \u003ctt\u003epriv/\u003c/tt\u003e. The collected paths are added to the package archive via \u003ctt\u003eadd_path_to_tar\u003c/tt\u003e in \u003ctt\u003ecompiler-cli/src/publish.rs\u003c/tt\u003e without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e or \u003ctt\u003egleam publish\u003c/tt\u003e to embed the contents of the symlink target into the generated Hex package.\u003c/p\u003e\u003cp\u003eAn attacker with write access to the project repository can place a symlink in \u003ctt\u003esrc/\u003c/tt\u003e or \u003ctt\u003epriv/\u003c/tt\u003e pointing to an arbitrary file. When a maintainer or CI pipeline runs \u003ctt\u003egleam publish\u003c/tt\u003e or \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.\u003c/p\u003e\u003cp\u003eThis issue affects Gleam from 0.10.0-rc1 until 1.17.0.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.17.0\", \"versionStartIncluding\": \"0.10.0-rc1\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-06-02T19:14:25.176Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42795\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-02T19:14:25.176Z\", \"dateReserved\": \"2026-04-29T18:06:33.251Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-06-02T13:41:39.527Z\", \"assignerShortName\": \"EEF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…