CVE-2026-44017

Name of the Vulnerable Software and Affected Versions EasyOCR versions prior to 2.91.0

Description The model download functionality extracts ZIP archives without validating member paths, which allows for Zip Slip attacks. Zip Slip is a form of path traversal that occurs when an application extracts a ZIP archive containing files with names that include path traversal sequences. If the model download source is compromised through a supply chain attack, DNS spoofing, or a man-in-the-middle attack, an attacker could write arbitrary files to any location writable by the process. This could lead to remote code execution by overwriting Python files or system binaries, the creation of persistent backdoors by modifying SSH keys or startup scripts, and general data corruption.

Recommendations Update to version 2.91.0. Ensure model downloads occur over secure, authenticated channels. Use integrity verification such as checksums for downloaded models. Run the application with minimal file system permissions.