CVE-2026-42795
Symlink Following in Gleam Hex Package Export
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gleam | gleam | From 0.10.0-rc1 (inc) to 1.17.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42795 is a symlink following vulnerability in the Gleam programming language's Hex package export functionality. The issue arises because the file collection helpers in Gleam use a method that follows symbolic links when gathering files from publishable directories such as src/ and priv/. However, the system does not verify whether the resolved symlink targets remain within the project root directory.
An attacker with write access to the project repository can create a symlink inside these directories that points to arbitrary files outside the project, such as sensitive system files. When a maintainer or CI pipeline runs commands like gleam publish or gleam export hex-tarball, the contents of these external files are silently embedded into the generated package tarball, potentially exposing sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows sensitive files such as secrets, tokens, or SSH keys to be silently embedded into published package artifacts if an attacker with write access places a symlink pointing outside the project root. This exposure of sensitive information can lead to non-compliance with data protection regulations and standards that require safeguarding confidential data.
Specifically, the high impact on confidentiality caused by this vulnerability could violate requirements under regulations like GDPR and HIPAA, which mandate strict controls over the handling and disclosure of sensitive information.
Mitigations such as reviewing directories for unexpected symlinks before publishing and using isolated environments for publishing are recommended to reduce the risk of accidental data exposure and help maintain compliance.
How can this vulnerability impact me? :
This vulnerability can lead to the unintended inclusion and exposure of sensitive files in published Gleam packages. If an attacker places a malicious symlink in the project, files such as secrets, tokens, or SSH keys that are readable by the publisher can be embedded into the package artifact without detection.
As a result, sensitive information may be leaked to anyone who downloads or inspects the published package, compromising confidentiality and potentially leading to further security breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing the publishable directories such as src/ and priv/ in your Gleam project for unexpected symbolic links that point outside the project root directory.
A practical approach is to list all symlinks within these directories and verify their targets. For example, you can use the following command in a Unix-like system to find symlinks and their targets:
- find src/ priv/ -type l -exec ls -l {} +
This command lists all symbolic links under src/ and priv/ along with their target paths. You should check if any of these targets point outside the project root or to sensitive files.
Additionally, inspecting the contents of the generated package tarball for unexpected files can help detect exploitation. Extract the tarball and look for files that should not be included, especially those outside the project scope.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include reviewing the src/ and priv/ directories in your Gleam project for any unexpected or malicious symbolic links before running publishing commands.
Remove or correct any symlinks that point outside the project root to prevent sensitive files from being included in the package.
Run publishing commands such as gleam publish or gleam export hex-tarball in isolated or restricted environments, like containers, that do not have access to sensitive files on the host system.
Upgrade Gleam to version 1.17.0 or later, where this vulnerability has been patched by adding path validation to ensure only files within the project root are included in the package.