CVE-2026-34783
Path Traversal in Ferret IO::FS::WRITE Enables Remote Code Execution
Publication date: 2026-04-06
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| montferret | ferret | to 2.0.0 (exc) |
| montferret | ferret | 2.0.0 |
| montferret | ferret | 2.0.0 |
| montferret | ferret | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary file writes on the victim's filesystem, potentially leading to remote code execution and system compromise. This can result in unauthorized modification or exposure of sensitive data.
Such unauthorized file writes and potential system compromise could lead to violations of data protection standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and system security.
Specifically, the ability to write files such as cron jobs, SSH authorized_keys, shell profiles, or web shells could enable attackers to access or manipulate protected data, undermining compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-34783 is a path traversal vulnerability in the Ferret framework's IO::FS::WRITE standard library function. This vulnerability allows a malicious website to cause Ferret to write arbitrary files to the filesystem of the machine running it.
The issue arises because the IO::FS::WRITE function does not sanitize or validate file paths before writing. Attackers can include "../" sequences in filenames returned by malicious websites, which Ferret then uses to construct output paths. This enables the attacker to escape the intended output directory and write files anywhere on the filesystem.
For example, an attacker can craft JSON data with filenames like "../../etc/cron.d/evil". When Ferret writes this file, it ends up in the system's cron directory, allowing the attacker to schedule malicious commands.
This vulnerability can lead to remote code execution by writing malicious cron jobs, SSH authorized_keys, shell profiles, or web shells.
The vulnerability was fixed in Ferret version 2.0.0-alpha.4 by adding path sanitization and base directory enforcement.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Arbitrary file write on the victim's filesystem with attacker-controlled content.
- Remote code execution via malicious cron jobs placed in system cron directories.
- Unauthorized SSH access by writing to the ~/.ssh/authorized_keys file.
- Execution of commands on user login by modifying shell profile files like ~/.bashrc or ~/.profile.
- Deployment of web shells in web directories, enabling remote control of web servers.
- Credential theft or privilege escalation through modification of application configuration files.
Overall, exploitation can lead to full system compromise, data loss, and unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unexpected file writes outside of intended directories, especially files created with path traversal sequences such as "../" in their names.
A proof of concept includes running a Ferret scraping script that fetches malicious JSON containing filenames with traversal sequences and observing if files are written outside the designated output directory.
Security tests have been added to the MontFerret project to detect path traversal vulnerabilities, which can be run using the command `make test-security` as part of the CI pipeline.
- Run `make test-security` to execute security-related tests targeting path traversal detection.
- Check for files created outside expected directories, especially those with names containing "../" sequences.
- Use monitoring tools or scripts to detect creation or modification of sensitive files such as `/etc/cron.d/`, `~/.ssh/authorized_keys`, shell profiles, or web directories.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Ferret version 2.0.0-alpha.4, so the immediate step is to upgrade to this or a later version.
Additional mitigation steps include sanitizing and validating file paths before writing, specifically rejecting any paths containing ".." sequences to prevent path traversal.
Enforce base directory restrictions by resolving absolute paths and ensuring that file writes do not escape the intended base directory, including resolving symlinks.
- Upgrade Ferret to version 2.0.0-alpha.4 or later.
- Implement path sanitization to reject traversal sequences, for example using Go's `filepath.Clean` and checking for ".." components.
- Enforce base directory constraints by resolving absolute paths and verifying they remain within the allowed directory.
- Review and restrict permissions on sensitive files and directories to limit impact if exploitation occurs.