CVE-2025-55214

CVSS

No CVSS.

C

opier library and CLI app for rendering project templates. From 7.1.0 to before 9.9.1, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write files outside the destination path where a project shall be generated or updated. This is possible when rendering a generated directory structure whose rendered path is either a relative parent path or an absolute path. Constructing such paths is possible using Copier's builtin pathjoin Jinja filter and its builtin _copier_conf.sep variable, which is the platform-native path separator. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. This vulnerability is fixed in 9.9.1.

References

Link	Resource
https://github.com/copier-org/copier/commit/fdbc0167cc22780b497e4db176feaf6f024757d6
https://github.com/copier-org/copier/security/advisories/GHSA-p7q8-grrj-3m8w

Configurations

No configuration.

History

18 Aug 2025, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-18 17:15

Updated : 2025-08-18 20:16

NVD link : CVE-2025-55214

Mitre link : CVE-2025-55214

CVE.ORG link : CVE-2025-55214

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2025-55214", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-18T17:15:30.310", "references": [{"url": "https://github.com/copier-org/copier/commit/fdbc0167cc22780b497e4db176feaf6f024757d6", "source": "[email protected]"}, {"url": "https://github.com/copier-org/copier/security/advisories/GHSA-p7q8-grrj-3m8w", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Copier library and CLI app for rendering project templates. From 7.1.0 to before 9.9.1, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write files outside the destination path where a project shall be generated or updated. This is possible when rendering a generated directory structure whose rendered path is either a relative parent path or an absolute path. Constructing such paths is possible using Copier's builtin pathjoin Jinja filter and its builtin _copier_conf.sep variable, which is the platform-native path separator. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. This vulnerability is fixed in 9.9.1."}, {"lang": "es", "value": "Librer\u00eda Copier y aplicaci\u00f3n CLI para renderizar plantillas de proyecto. Desde la versi\u00f3n 7.1.0 hasta la 9.9.1, Copier sugiere que es seguro generar un proyecto a partir de una plantilla segura, es decir, una que no utilice funciones inseguras como extensiones personalizadas de Jinja, que requerir\u00edan el indicador --UNSAFE,--trust. Resulta que, actualmente, una plantilla segura puede escribir archivos fuera de la ruta de destino donde se generar\u00e1 o actualizar\u00e1 un proyecto. Esto es posible al renderizar una estructura de directorios generada cuya ruta renderizada es una ruta principal relativa o una ruta absoluta. Estas rutas se pueden construir mediante el filtro pathjoin de Jinja integrado de Copier y su variable _copier_conf.sep integrada, que es el separador de rutas nativo de la plataforma. De esta forma, un creador de plantillas malintencionado puede crear una plantilla que sobrescriba archivos arbitrarios (seg\u00fan los permisos de escritura del usuario), por ejemplo, para causar problemas. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 9.9.1."}], "lastModified": "2025-08-18T20:16:28.750", "sourceIdentifier": "[email protected]"}