EEF-CVE-2026-42795

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-42795.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-42795.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-42795

Aliases

CVE-2026-42795
GHSA-qhh5-fg4c-8gqc

Published

2026-06-02T13:41:39.527Z

Modified

2026-06-02T19:09:10.282Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root

Details

Summary

Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball.

The file collection helpers (gleamfiles, nativefiles, privatefiles) in compiler-cli/src/fs.rs use followlinks(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via addpathto_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package.

An attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.

This issue affects Gleam from 0.10.0-rc1 until 1.17.0.

Workaround

Avoid running gleam publish or gleam export hex-tarball on untrusted projects
Review the contents of src/ and priv/ for unexpected symlinks before publishing
Run publishing commands in a restricted or isolated environment (e.g. containers)

Database specific

{
    "cwe_ids": [
        "CWE-59"
    ],
    "cpe_ids": [
        "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-132"
    ]
}

References

Credits

- Aly (spect3r1) - FINDER
- Abdelrahman Ahmed Aboelkasem (0x2face) - FINDER
- Louis Pilfold - REMEDIATION_DEVELOPER
- Jonatan Männchen / EEF - ANALYST

Affected packages

Git / github.com/gleam-lang/gleam

Affected ranges

Type: GIT
Repo: https://github.com/gleam-lang/gleam
Events: Introduced

c82a2d83bd0c06cafdc196820deb3f89a9b3ff7c

Fixed

6435a5528b9ae0449e2f32be579641ec485f6866

Affected versions

Other

nightly

v0.*

v0.10.0

v0.10.0-rc1

v0.10.0-rc2

v0.10.1

v0.11.0

v0.11.0-rc1

v0.11.0-rc2

v0.11.0-rc3

v0.11.1

v0.11.2

v0.12.0

v0.12.0-rc3

v0.12.0-rc4

v0.12.1

v0.13.0

v0.13.0-rc1

v0.13.0-rc2

v0.13.1

v0.13.2

v0.14.0

v0.14.0-rc1

v0.14.0-rc2

v0.14.1

v0.14.2

v0.14.3

v0.14.4

v0.15.0

v0.15.0-rc1

v0.15.1

v0.16.0

v0.16.0-rc1

v0.16.0-rc2

v0.16.0-rc3

v0.16.0-rc4

v0.16.1

v0.17.0

v0.17.0-rc1

v0.17.0-rc2

v0.18.0

v0.18.0-rc1

v0.18.0-rc2

v0.18.0-rc3

v0.18.1

v0.18.2

v0.19.0

v0.19.0-rc1

v0.19.0-rc2

v0.19.0-rc3

v0.19.0-rc4

v0.20.0

v0.20.0-rc1

v0.20.1

v0.21.0

v0.21.0-rc1

v0.21.0-rc2

v0.22.0

v0.22.0-rc1

v0.22.1

v0.23.0

v0.23.0-rc1

v0.23.0-rc2

v0.24.0

v0.24.0-rc1

v0.24.0-rc2

v0.24.0-rc3

v0.24.0-rc4

v0.25.0

v0.25.0-rc1

v0.25.0-rc2

v0.25.1

v0.25.2

v0.25.3

v0.26.0

v0.26.0-rc1

v0.26.1

v0.26.2

v0.27.0

v0.27.0-rc1

v0.28.0

v0.28.0-rc1

v0.28.0-rc2

v0.28.0-rc3

v0.28.1

v0.28.2

v0.28.3

v0.29.0

v0.29.0-rc1

v0.29.0-rc2

v0.30.0

v0.30.0-rc1

v0.30.0-rc2

v0.30.0-rc3

v0.30.0-rc4

v0.30.1

v0.30.2

v0.30.3

v0.30.4

v0.30.5

v0.31.0

v0.31.0-rc1

v0.32.0

v0.32.0-rc1

v0.32.0-rc2

v0.32.0-rc3

v0.32.1

v0.32.2

v0.32.3

v0.32.4

v0.33.0

v0.33.0-rc1

v0.33.0-rc2

v0.33.0-rc3

v0.33.0-rc4

v0.34.0

v0.34.0-rc1

v0.34.0-rc2

v0.34.1

v1.*

v1.0.0

v1.0.0-rc1

v1.0.0-rc2

v1.1.0

v1.1.0-rc1

v1.1.0-rc2

v1.1.0-rc3

v1.10.0

v1.10.0-rc1

v1.11.0

v1.11.0-rc1

v1.11.0-rc2

v1.11.1

v1.12.0

v1.12.0-rc1

v1.12.0-rc2

v1.12.0-rc3

v1.13.0

v1.13.0-rc1

v1.13.0-rc2

v1.14.0

v1.14.0-rc1

v1.14.0-rc2

v1.14.0-rc3

v1.15.0

v1.15.0-rc1

v1.15.0-rc2

v1.15.1

v1.16.0

v1.16.0-rc1

v1.16.0-rc2

v1.16.0-rc3

v1.16.0-rc4

v1.17.0-rc1

v1.17.0-rc2

v1.2.0

v1.2.0-rc1

v1.2.0-rc2

v1.2.1

v1.3.0

v1.3.0-rc1

v1.3.0-rc2

v1.3.0-rc3

v1.3.1

v1.3.2

v1.4.0

v1.4.0-rc1

v1.4.1

v1.5.0

v1.5.0-rc1

v1.5.0-rc2

v1.6.0

v1.6.0-rc1

v1.6.0-rc2

v1.6.1

v1.7.0-rc1

v1.7.0-rc2

v1.7.0-rc3

v1.8.0

v1.8.0-rc1

v1.9.0

v1.9.0-rc1

v1.9.0-rc2

v1.9.1

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-42795.json"