GHSA-QP9X-WP8F-QGJJ
Vulnerability from github – Published: 2026-05-28 22:46 – Updated: 2026-05-28 22:46DelegatedRole._is_target_in_pathpattern uses fnmatch.fnmatch to decide whether a given target path is authorized by a delegation's glob pattern.
Python's fnmatch.fnmatch calls os.path.normcase() on both arguments before matching. On POSIX hosts normcase is the identity function; on Windows hosts os.path resolves to ntpath, whose normcase lowercases its input and replaces / with \.
As a result, python-tuf's delegation path pattern matching is case-sensitive on Linux/macOS but case-INSENSITIVE on Windows. This makes the authorization decision for a target dependent on the host operating system of the client running the updater.
The result on Windows is a TUF specification violation in the python-tuf ngclient implementation.
Vulnerable code
tuf/api/_payload.py (HEAD 7ecb67d):
1183 @staticmethod
1184 def _is_target_in_pathpattern(targetpath: str, pathpattern: str) -> bool:
1185 """Determine whether ``targetpath`` matches the ``pathpattern``."""
1186 # We need to make sure that targetpath and pathpattern are pointing to
1187 # the same directory as fnmatch doesn't threat "/" as a special symbol.
1188 target_parts = targetpath.split("/")
1189 pattern_parts = pathpattern.split("/")
1190 if len(target_parts) != len(pattern_parts):
1191 return False
1192
1193 # Every part in the pathpattern could include a glob pattern, that's why
1194 # each of the target and pathpattern parts should match.
1195 for target, pattern in zip(target_parts, pattern_parts, strict=True):
1196 if not fnmatch.fnmatch(target, pattern):
1197 return False
1198 return True
fnmatch.fnmatch source (Python 3.12, unchanged in current mainline):
def fnmatch(name, pat):
...
name = os.path.normcase(name)
pat = os.path.normcase(pat)
return fnmatchcase(name, pat)
Fix
Replace fnmatch.fnmatch with fnmatch.fnmatchcase, which is explicitly documented as "not applying case normalization", so it behaves identically across platforms.
Attack
- A TUF repository with two path-based delegations whose patterns differ only in case — for example,
Foo/*andfoo/*. - The "attacker" delegation is listed BEFORE the "legit" delegation in the delegation order.
- The client searches for
foo/something: on Windows, it will find the "attacker" provided target "Foo/something".
Exploitability caveats
- The attack needs a repository configuration with case-colliding delegation path patterns. The attacker must control one of the delegated roles.
- Delegation ordering matters: the attacker-controlled role must be visited BEFORE the legit role in the pre-order walk.
- The client must run on Windows. No effect on Linux/macOS.
Credit
Reporter: Koda Reef @kodareef5 Advisory edits: Jussi Kukkonen @jku
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.0"
},
"package": {
"ecosystem": "PyPI",
"name": "tuf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-28T22:46:13Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "`DelegatedRole._is_target_in_pathpattern` uses `fnmatch.fnmatch` to decide whether a given target path is authorized by a delegation\u0027s glob pattern.\n\nPython\u0027s `fnmatch.fnmatch` calls `os.path.normcase()` on both arguments before matching. On POSIX hosts `normcase` is the identity function; on Windows hosts `os.path` resolves to `ntpath`, whose `normcase` lowercases its input and replaces `/` with `\\`.\n\nAs a result, python-tuf\u0027s delegation *path pattern* matching is case-sensitive on Linux/macOS but case-INSENSITIVE on Windows. This makes the authorization decision for a target dependent on the host operating system of the client running the updater.\n\nThe result on Windows is a TUF specification violation in the python-tuf `ngclient` implementation.\n\n## Vulnerable code\n\n`tuf/api/_payload.py` (HEAD `7ecb67d`):\n\n```python\n1183 @staticmethod\n1184 def _is_target_in_pathpattern(targetpath: str, pathpattern: str) -\u003e bool:\n1185 \"\"\"Determine whether ``targetpath`` matches the ``pathpattern``.\"\"\"\n1186 # We need to make sure that targetpath and pathpattern are pointing to\n1187 # the same directory as fnmatch doesn\u0027t threat \"/\" as a special symbol.\n1188 target_parts = targetpath.split(\"/\")\n1189 pattern_parts = pathpattern.split(\"/\")\n1190 if len(target_parts) != len(pattern_parts):\n1191 return False\n1192\n1193 # Every part in the pathpattern could include a glob pattern, that\u0027s why\n1194 # each of the target and pathpattern parts should match.\n1195 for target, pattern in zip(target_parts, pattern_parts, strict=True):\n1196 if not fnmatch.fnmatch(target, pattern):\n1197 return False\n1198 return True\n```\n\n`fnmatch.fnmatch` source (Python 3.12, unchanged in current mainline):\n\n```python\ndef fnmatch(name, pat):\n ...\n name = os.path.normcase(name)\n pat = os.path.normcase(pat)\n return fnmatchcase(name, pat)\n```\n\n## Fix\n\nReplace `fnmatch.fnmatch` with `fnmatch.fnmatchcase`, which is explicitly documented as \"not applying case normalization\", so it behaves identically across platforms.\n\n## Attack\n\n1. A TUF repository with two path-based delegations whose patterns differ only in case \u2014 for example, `Foo/*` and `foo/*`.\n2. The \"attacker\" delegation is listed BEFORE the \"legit\" delegation in the delegation order.\n3. The client searches for `foo/something`: on Windows, it will find the \"attacker\" provided target \"Foo/something\".\n\n\n## Exploitability caveats \n\n* The attack needs a repository configuration with case-colliding delegation path patterns. The attacker must control one of the delegated roles.\n* Delegation ordering matters: the attacker-controlled role must be visited BEFORE the legit role in the pre-order walk.\n* The client must run on Windows. No effect on Linux/macOS.\n\n## Credit\n\nReporter: Koda Reef @kodareef5 \nAdvisory edits: Jussi Kukkonen @jku",
"id": "GHSA-qp9x-wp8f-qgjj",
"modified": "2026-05-28T22:46:13Z",
"published": "2026-05-28T22:46:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-qp9x-wp8f-qgjj"
},
{
"type": "PACKAGE",
"url": "https://github.com/theupdateframework/python-tuf"
},
{
"type": "WEB",
"url": "https://github.com/theupdateframework/python-tuf/releases/tag/v7.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "tuf has platform-dependent delegation path matching"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.