CVE-2026-34730
Arbitrary File Read in Copier _external_data Allows Data Exposure
Publication date: 2026-04-02
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| copier-org | copier | to 9.14.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Copier's `_external_data` feature allows templates to load YAML files using paths controlled by the template. Due to insufficient path validation, a malicious template can perform path traversal or use absolute paths to read arbitrary local files accessible to the user running Copier. This means that files outside the intended project directory can be read and their contents exposed in the rendered output.
Specifically, the function responsible for loading these files does not verify that the resolved file path stays within the project directory, unlike other Copier operations that block such escapes. This flaw enables unauthorized disclosure of local files without requiring elevated privileges, only some user interaction.
The issue was fixed in Copier version 9.14.1 by adding checks that prevent reading files outside the project directory unless the user explicitly opts in with unsafe flags.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive local files that the user running Copier has access to. A malicious template can read and expose confidential information such as secrets, configuration files, or other YAML/JSON/plain-text files by including them in the rendered output.
The impact is primarily on confidentiality, with no effect on integrity or availability. The attack requires local access and some user interaction but no special privileges.
Therefore, if you use Copier with untrusted templates, your sensitive local data could be exposed unintentionally.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Copier tool's `_external_data` feature allowing templates to read arbitrary local files via path traversal or absolute paths. Detection involves checking if Copier templates in use specify `_external_data` keys with paths that escape the intended subproject directory.
You can inspect templates for suspicious `_external_data` entries such as relative paths with `..` (e.g., `../secret.yml`) or absolute paths (e.g., `/etc/passwd`).
Since the vulnerability manifests when rendering templates, monitoring Copier runs for unexpected file reads or rendered output containing sensitive file contents can help detect exploitation.
Suggested commands include searching template files for `_external_data` usage with path traversal patterns:
- grep -r '_external_data' /path/to/templates | grep '\.\./'
- grep -r '_external_data' /path/to/templates | grep '^\s*\/.*'
Additionally, you can run Copier in a controlled environment with debugging or verbose logging enabled to observe if any external files outside the subproject root are accessed during template rendering.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Copier to version 9.14.1 or later, where the vulnerability is fixed by enforcing path checks on `_external_data` entries.
If upgrading immediately is not possible, avoid using untrusted templates that specify `_external_data` paths, especially those that may include relative paths with `..` or absolute paths.
Run Copier with the `--trust` or `--UNSAFE` flags only if you explicitly trust the templates, as these flags allow external data loading outside the subproject root.
Review and audit templates to ensure they do not attempt to load external data from outside the intended directory.
Consider restricting file system permissions of the user running Copier to limit access to sensitive files that could be read via this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Copier prior to version 9.14.1 allows unauthorized reading of local files accessible to the user running Copier, potentially exposing sensitive information contained in those files. This results in a high confidentiality loss, which could impact compliance with data protection standards and regulations such as GDPR and HIPAA that require safeguarding sensitive and personal data against unauthorized disclosure.
Since the vulnerability enables local file disclosure without integrity or availability impact, organizations using Copier in environments subject to these regulations should consider the risk of sensitive data exposure through malicious templates. The fix in version 9.14.1 enforces path containment checks and requires explicit user consent to access files outside the intended directory, thereby mitigating unauthorized data exposure and improving compliance posture.