CVE-2026-34783

Name of the Vulnerable Software and Affected Versions: Ferret versions prior to 2.0.0-alpha.4

Description: Ferret is a declarative system for working with web data. A path traversal vulnerability exists in the IO::FS::WRITE standard library function, allowing a malicious website to write arbitrary files to the filesystem of the machine running Ferret. This occurs when an operator scrapes a website that returns filenames containing '../' sequences, and uses those filenames to construct output paths. An attacker can control both the destination path and the file content, potentially leading to remote code execution via cron jobs, SSH authorized keys, shell profiles, or web shells. The vulnerability is due to the lack of path sanitization in the IO::FS::WRITE function, which directly passes user-supplied file paths to os.OpenFile without canonicalization, base directory enforcement, or traversal sequence rejection. The API endpoint used in the attack is 'http://evil.com/api/articles', which returns a JSON payload containing filenames with path traversal sequences. The vulnerable parameter is the 'name' field within the JSON data, which is used to construct the output path. The function IO::FS::WRITE is directly involved in the vulnerability. The attacker can target paths like '/etc/cron.d/' for command execution, '~/.ssh/authorized keys' for SSH access, and application config files for credential theft.

Recommendations: Update to Ferret version 2.0.0-alpha.4 or later. As a temporary workaround, reject path traversal in IO::FS::WRITE and IO::FS::READ by resolving the path and verifying it doesn't contain '..' after cleaning. Alternatively, implement base directory enforcement to jail FS operations to a specific directory.