CVE-2026-43965

Name of the Vulnerable Software and Affected Versions Gleam versions 0.18.0-rc1 through 1.17.0

Description A path traversal issue in the dependency management system allows for the recursive deletion of arbitrary directories. This occurs because package keys read from the build/packages/packages.toml file by the LocalPackages::read from disc function are passed without validation to paths.build packages package(). This process constructs a filesystem path by joining the project build directory with an attacker-controlled key, which is then passed to fs::delete directory (which calls remove dir all). Since the system does not verify if the path remains within the intended build/packages/ directory, both absolute paths and relative traversal sequences (such as ../) can be used to target and delete any directory on the victim's system when the gleam deps download command is executed on a project containing a malicious configuration file.

Recommendations Update Gleam to a version later than 1.17.0.