CVE-2026-34783
Received Received - Intake
Path Traversal in Ferret IO::FS::WRITE Enables Remote Code Execution

Publication date: 2026-04-06

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Ferret is a declarative system for working with web data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret's IO::FS::WRITE standard library function allows a malicious website to write arbitrary files to the filesystem of the machine running Ferret. When an operator scrapes a website that returns filenames containing ../ sequences, and uses those filenames to construct output paths (a standard scraping pattern), the attacker controls both the destination path and the file content. This can lead to remote code execution via cron jobs, SSH authorized_keys, shell profiles, or web shells. This vulnerability is fixed in 2.0.0-alpha.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34783
EUVD
EUVD-2026-19353
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
montferret ferret to 2.0.0 (exc)
montferret ferret 2.0.0
montferret ferret 2.0.0
montferret ferret 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34783 is a path traversal vulnerability in the Ferret framework's IO::FS::WRITE standard library function. This vulnerability allows a malicious website to cause Ferret to write arbitrary files to the filesystem of the machine running it.

The issue arises because the IO::FS::WRITE function does not sanitize or validate file paths before writing. Attackers can include "../" sequences in filenames returned by malicious websites, which Ferret then uses to construct output paths. This enables the attacker to escape the intended output directory and write files anywhere on the filesystem.

For example, an attacker can craft JSON data with filenames like "../../etc/cron.d/evil". When Ferret writes this file, it ends up in the system's cron directory, allowing the attacker to schedule malicious commands.

This vulnerability can lead to remote code execution by writing malicious cron jobs, SSH authorized_keys, shell profiles, or web shells.

The vulnerability was fixed in Ferret version 2.0.0-alpha.4 by adding path sanitization and base directory enforcement.

Compliance Impact

The vulnerability allows arbitrary file writes on the victim's filesystem, potentially leading to remote code execution and system compromise. This can result in unauthorized modification or exposure of sensitive data.

Such unauthorized file writes and potential system compromise could lead to violations of data protection standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and system security.

Specifically, the ability to write files such as cron jobs, SSH authorized_keys, shell profiles, or web shells could enable attackers to access or manipulate protected data, undermining compliance with these regulations.

Impact Analysis

This vulnerability can have severe impacts including:

  • Arbitrary file write on the victim's filesystem with attacker-controlled content.
  • Remote code execution via malicious cron jobs placed in system cron directories.
  • Unauthorized SSH access by writing to the ~/.ssh/authorized_keys file.
  • Execution of commands on user login by modifying shell profile files like ~/.bashrc or ~/.profile.
  • Deployment of web shells in web directories, enabling remote control of web servers.
  • Credential theft or privilege escalation through modification of application configuration files.

Overall, exploitation can lead to full system compromise, data loss, and unauthorized access.

Detection Guidance

This vulnerability can be detected by monitoring for unexpected file writes outside of intended directories, especially files created with path traversal sequences such as "../" in their names.

A proof of concept includes running a Ferret scraping script that fetches malicious JSON containing filenames with traversal sequences and observing if files are written outside the designated output directory.

Security tests have been added to the MontFerret project to detect path traversal vulnerabilities, which can be run using the command `make test-security` as part of the CI pipeline.

  • Run `make test-security` to execute security-related tests targeting path traversal detection.
  • Check for files created outside expected directories, especially those with names containing "../" sequences.
  • Use monitoring tools or scripts to detect creation or modification of sensitive files such as `/etc/cron.d/`, `~/.ssh/authorized_keys`, shell profiles, or web directories.
Mitigation Strategies

The vulnerability is fixed in Ferret version 2.0.0-alpha.4, so the immediate step is to upgrade to this or a later version.

Additional mitigation steps include sanitizing and validating file paths before writing, specifically rejecting any paths containing ".." sequences to prevent path traversal.

Enforce base directory restrictions by resolving absolute paths and ensuring that file writes do not escape the intended base directory, including resolving symlinks.

  • Upgrade Ferret to version 2.0.0-alpha.4 or later.
  • Implement path sanitization to reject traversal sequences, for example using Go's `filepath.Clean` and checking for ".." components.
  • Enforce base directory constraints by resolving absolute paths and verifying they remain within the allowed directory.
  • Review and restrict permissions on sensitive files and directories to limit impact if exploitation occurs.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34783. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart