CVE-2025-8917
BaseFortify
Publication date: 2025-10-05
Last updated on: 2025-10-06
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| allegroai | clearml | v2.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in allegroai/clearml version v2.0.1 is a path traversal flaw caused by improper handling of symbolic and hard links in the `safe_extract` function. It allows malicious tar archives to write files outside the intended extraction directory by exploiting unsafe extraction paths. This can lead to arbitrary file writes and potentially remote code execution if critical files are overwritten. [1]
How can this vulnerability impact me? :
The vulnerability can allow an attacker to write files anywhere on the filesystem outside the intended directory during archive extraction. This can lead to overwriting critical files, which may result in remote code execution, compromising the system's security and integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the behavior of the `safe_extract` function when extracting tar archives, specifically looking for attempts to extract files outside the intended directory via path traversal or unsafe symbolic/hard links. You can check for suspicious tar files that contain members with paths including '..' or symbolic/hard links pointing outside the extraction directory. Commands to help detect such attempts include: 1) Listing tar archive contents with full paths: `tar -tvf archive.tar` and manually inspecting for suspicious paths. 2) Using a script or tool to verify that all paths and link targets in the tar archive resolve within the intended extraction directory. 3) Monitoring logs or application behavior for exceptions raised by the patched `safe_extract` function indicating path traversal detection. There is no direct network detection command provided, but monitoring file extraction operations and validating tar archives before extraction is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating allegroai/clearml to a version that includes the patch fixing CVE-2025-8917, which enhances the `safe_extract` function to properly validate extraction paths and symbolic/hard links. Until the update is applied, avoid extracting untrusted tar archives using the vulnerable `safe_extract` function. Additionally, implement manual checks on tar archives to ensure no path traversal or unsafe links exist before extraction. Applying the patch described in Resource 1 or using the updated code that performs absolute path resolution and validation for all members and links will prevent exploitation of this vulnerability. [1]