CVE-2025-58438

Name of the Vulnerable Software and Affected Versions internetarchive versions 5.5.0 and below

Description The internetarchive library contains a directory traversal vulnerability in the File.download() method. The method does not properly sanitize user-supplied filenames or validate the final download path. A maliciously crafted filename containing path traversal sequences (e.g., ../../../../windows/system32/file.txt) or illegal characters could allow an attacker to write files outside the intended target directory. This could lead to a denial of service, privilege escalation, or remote code execution. All operating systems are affected, with a potentially higher risk for Windows systems.

Recommendations Update to internetarchive version 5.5.1 or later.