CVE-2025-8917
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-05

Last updated on: 2025-10-06

Assigner: huntr.dev

Description
A vulnerability in allegroai/clearml version v2.0.1 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract` function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execution if critical files are overwritten.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-05
Last Modified
2025-10-06
Generated
2026-06-16
AI Q&A
2025-10-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-8917
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
allegroai clearml v2.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in allegroai/clearml version v2.0.1 is a path traversal flaw caused by improper handling of symbolic and hard links in the `safe_extract` function. It allows malicious tar archives to write files outside the intended extraction directory by exploiting unsafe extraction paths. This can lead to arbitrary file writes and potentially remote code execution if critical files are overwritten. [1]

Impact Analysis

The vulnerability can allow an attacker to write files anywhere on the filesystem outside the intended directory during archive extraction. This can lead to overwriting critical files, which may result in remote code execution, compromising the system's security and integrity. [1]

Detection Guidance

This vulnerability can be detected by inspecting the behavior of the `safe_extract` function when extracting tar archives, specifically looking for attempts to extract files outside the intended directory via path traversal or unsafe symbolic/hard links. You can check for suspicious tar files that contain members with paths including '..' or symbolic/hard links pointing outside the extraction directory. Commands to help detect such attempts include: 1) Listing tar archive contents with full paths: `tar -tvf archive.tar` and manually inspecting for suspicious paths. 2) Using a script or tool to verify that all paths and link targets in the tar archive resolve within the intended extraction directory. 3) Monitoring logs or application behavior for exceptions raised by the patched `safe_extract` function indicating path traversal detection. There is no direct network detection command provided, but monitoring file extraction operations and validating tar archives before extraction is recommended. [1]

Mitigation Strategies

Immediate mitigation steps include updating allegroai/clearml to a version that includes the patch fixing CVE-2025-8917, which enhances the `safe_extract` function to properly validate extraction paths and symbolic/hard links. Until the update is applied, avoid extracting untrusted tar archives using the vulnerable `safe_extract` function. Additionally, implement manual checks on tar archives to ensure no path traversal or unsafe links exist before extraction. Applying the patch described in Resource 1 or using the updated code that performs absolute path resolution and validation for all members and links will prevent exploitation of this vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8917. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart