GHSA-M5GR-86J6-99JP
Vulnerability from github – Published: 2026-04-10 21:00 – Updated: 2026-04-10 21:32
VLAI?
Summary
gramps-webapi: Zip Slip Path Traversal in Media Archive Import
Details
Summary
A path traversal vulnerability (Zip Slip) exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem.
Details
When importing media archives as ZIP file, MediaImporter._check_disk_space_and_extract() in gramps_webapi/api/media_importer.py called zipfile.extractall() without validating ZIP entry names. Python's zipfile module does not sanitize entry names containing ../ sequences, allowing extraction to paths outside the target directory.
Only users with owner permission can upload media ZIP archives, so the biggest risk is for multi-tree deployments, where tree owners are distinct from server administrators.
For multi-tree deployments, the impact depends on deployment configuration. Assuming the standard docker-based deployment is used:
- SQLite family tree + local media: An attacker can overwrite another tree's database file or media files, leading to cross-tree data corruption or replacement.
- Postgres family tree + S3 media: No persistent tree data is stored on the local filesystem, so cross-tree impact is eliminated. The remaining risk is overwriting volume-mounted files such as the application config file.
- Postgres family tree + S3 media + environment-variable-only config: No persistent files of value are present on the local filesystem. Impact is limited to writes to ephemeral container storage, which are lost on woker restart.
Fix
ZIP entry names are now validated against the resolved real path of the temporary directory before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import.
Severity ?
9.1 (Critical)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.11.0"
},
"package": {
"ecosystem": "PyPI",
"name": "gramps-webapi"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "3.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40258"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T21:00:09Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\nA path traversal vulnerability (Zip Slip) exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server\u0027s local filesystem.\n\n## Details\n\nWhen importing media archives as ZIP file, `MediaImporter._check_disk_space_and_extract()` in `gramps_webapi/api/media_importer.py` called `zipfile.extractall()` without validating ZIP entry names. Python\u0027s `zipfile` module does not sanitize entry names containing `../` sequences, allowing extraction to paths outside the target directory.\n\nOnly users with **owner permission** can upload media ZIP archives, so the biggest risk is for multi-tree deployments, where tree owners are distinct from server administrators.\n\nFor multi-tree deployments, the impact depends on deployment configuration. Assuming the standard docker-based deployment is used:\n\n- **SQLite family tree + local media**: An attacker can overwrite another tree\u0027s database file or media files, leading to cross-tree data corruption or replacement.\n- **Postgres family tree + S3 media**: No persistent tree data is stored on the local filesystem, so cross-tree impact is eliminated. The remaining risk is overwriting volume-mounted files such as the application config file.\n- **Postgres family tree + S3 media + environment-variable-only config**: No persistent files of value are present on the local filesystem. Impact is limited to writes to ephemeral container storage, which are lost on woker restart.\n\n## Fix\n\nZIP entry names are now validated against the resolved real path of the temporary directory before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import.",
"id": "GHSA-m5gr-86j6-99jp",
"modified": "2026-04-10T21:32:40Z",
"published": "2026-04-10T21:00:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gramps-project/gramps-web-api/security/advisories/GHSA-m5gr-86j6-99jp"
},
{
"type": "WEB",
"url": "https://github.com/gramps-project/gramps-web-api/commit/3ed4342711e3ec849552df09b1fe2fbf2ca5c29a"
},
{
"type": "PACKAGE",
"url": "https://github.com/gramps-project/gramps-web-api"
},
{
"type": "WEB",
"url": "https://github.com/gramps-project/gramps-web-api/releases/tag/v3.11.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "gramps-webapi: Zip Slip Path Traversal in Media Archive Import"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…