CVE-2026-43965
Deferred Deferred - Pending Action
Path Traversal in Gleam via Malicious packages.toml

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: EEF

Description
Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories. An attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim's system to be recursively deleted. This issue affects Gleam from 0.18.0-rc1 until 1.17.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-43965
EUVD
EUVD-2026-33926
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gleam gleam From 0.18.0-rc1 (inc) to 1.17.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-43965 is a path traversal vulnerability in Gleam's dependency management system that allows an attacker to delete arbitrary directories on a victim's machine.

The vulnerability arises because package keys read from the build/packages/packages.toml file are not properly validated before being used to construct filesystem paths. These keys can include absolute paths or relative traversal sequences like '../'.

When the victim runs the command 'gleam deps download' on a project containing a malicious packages.toml file, the system uses these attacker-controlled keys to build paths and then recursively deletes the directories at those paths.

This can lead to deletion of arbitrary directories on the victim's system, including critical files or directories, without requiring special privileges.

Impact Analysis

This vulnerability can have a significant impact by allowing an attacker to cause arbitrary directory deletion on your system.

  • Loss of important files or directories, including source code, configuration files, or user data.
  • Potential disruption of system availability due to deletion of critical directories.
  • The attack can be executed without requiring elevated privileges, making it easier for attackers to exploit.

The vulnerability is triggered when you run 'gleam deps download' on a project containing a malicious build/packages/packages.toml file, which could be introduced by an attacker committing this normally ignored file to a repository.

Detection Guidance

This vulnerability can be detected by inspecting the build/packages/packages.toml file in your Gleam project for malicious or suspicious package keys that contain absolute paths or relative traversal sequences such as '../'.

Since the vulnerability triggers when running the command 'gleam deps download' on a project containing a malicious packages.toml file, monitoring or auditing this file before running the command is critical.

You can use commands to check for suspicious entries in the packages.toml file, for example:

  • grep -E '\.\.|^/' build/packages/packages.toml
  • grep -E '\.\.|^/' build/packages/packages.toml | cat -n

These commands search for directory traversal patterns ('..') or absolute paths (starting with '/') in the packages.toml file, which are indicators of potential exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Gleam to version 1.17.0 or later, where the issue has been patched.

Additionally, avoid running 'gleam deps download' on projects that contain untrusted or suspicious build/packages/packages.toml files, especially those that may have been committed to repositories despite being normally gitignored.

Review and sanitize the packages.toml file to ensure package keys do not contain absolute paths or directory traversal sequences.

The patch includes stricter deserialization rules that restrict package names to only lowercase letters, numbers, and underscores, rejecting invalid names with special characters or traversal sequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43965. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart