EEF-CVE-2026-43965

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-43965.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-43965.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-43965

Aliases

CVE-2026-43965
GHSA-jqvf-f6p2-wrv3

Published

2026-06-02T13:41:37.421Z

Modified

2026-06-02T19:14:19.113Z

Severity

5.6 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion

Details

Summary

Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content.

Package keys read from build/packages/packages.toml by LocalPackages::readfromdisc are passed without validation to paths.buildpackagespackage(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::deletedirectory (which calls removedir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories.

An attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim's system to be recursively deleted.

This issue affects Gleam from 0.18.0-rc1 until 1.17.0.

Database specific

{
    "cpe_ids": [
        "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-139",
        "CAPEC-597"
    ],
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Credits

- Aly (spect3r1) - FINDER
- Abdelrahman Ahmed Aboelkasem (0x2face) - FINDER
- Louis Pilfold - REMEDIATION_DEVELOPER
- Jonatan Männchen / EEF - ANALYST

Affected packages

Git / github.com/gleam-lang/gleam

Affected ranges

Type: GIT
Repo: https://github.com/gleam-lang/gleam
Events: Introduced

ed7aec0484f10d60978b63788c8a6497590855ab

Fixed

690ca069817bee5f77a28fc3e360627c1da19291

Affected versions

Other

nightly

v0.*

v0.18.0

v0.18.0-rc1

v0.18.0-rc2

v0.18.0-rc3

v0.18.1

v0.18.2

v0.19.0

v0.19.0-rc1

v0.19.0-rc2

v0.19.0-rc3

v0.19.0-rc4

v0.20.0

v0.20.0-rc1

v0.20.1

v0.21.0

v0.21.0-rc1

v0.21.0-rc2

v0.22.0

v0.22.0-rc1

v0.22.1

v0.23.0

v0.23.0-rc1

v0.23.0-rc2

v0.24.0

v0.24.0-rc1

v0.24.0-rc2

v0.24.0-rc3

v0.24.0-rc4

v0.25.0

v0.25.0-rc1

v0.25.0-rc2

v0.25.1

v0.25.2

v0.25.3

v0.26.0

v0.26.0-rc1

v0.26.1

v0.26.2

v0.27.0

v0.27.0-rc1

v0.28.0

v0.28.0-rc1

v0.28.0-rc2

v0.28.0-rc3

v0.28.1

v0.28.2

v0.28.3

v0.29.0

v0.29.0-rc1

v0.29.0-rc2

v0.30.0

v0.30.0-rc1

v0.30.0-rc2

v0.30.0-rc3

v0.30.0-rc4

v0.30.1

v0.30.2

v0.30.3

v0.30.4

v0.30.5

v0.31.0

v0.31.0-rc1

v0.32.0

v0.32.0-rc1

v0.32.0-rc2

v0.32.0-rc3

v0.32.1

v0.32.2

v0.32.3

v0.32.4

v0.33.0

v0.33.0-rc1

v0.33.0-rc2

v0.33.0-rc3

v0.33.0-rc4

v0.34.0

v0.34.0-rc1

v0.34.0-rc2

v0.34.1

v1.*

v1.0.0

v1.0.0-rc1

v1.0.0-rc2

v1.1.0

v1.1.0-rc1

v1.1.0-rc2

v1.1.0-rc3

v1.10.0

v1.10.0-rc1

v1.11.0

v1.11.0-rc1

v1.11.0-rc2

v1.11.1

v1.12.0

v1.12.0-rc1

v1.12.0-rc2

v1.12.0-rc3

v1.13.0

v1.13.0-rc1

v1.13.0-rc2

v1.14.0

v1.14.0-rc1

v1.14.0-rc2

v1.14.0-rc3

v1.15.0

v1.15.0-rc1

v1.15.0-rc2

v1.15.1

v1.16.0

v1.16.0-rc1

v1.16.0-rc2

v1.16.0-rc3

v1.16.0-rc4

v1.17.0-rc1

v1.17.0-rc2

v1.2.0

v1.2.0-rc1

v1.2.0-rc2

v1.2.1

v1.3.0

v1.3.0-rc1

v1.3.0-rc2

v1.3.0-rc3

v1.3.1

v1.3.2

v1.4.0

v1.4.0-rc1

v1.4.1

v1.5.0

v1.5.0-rc1

v1.5.0-rc2

v1.6.0

v1.6.0-rc1

v1.6.0-rc2

v1.6.1

v1.7.0-rc1

v1.7.0-rc2

v1.7.0-rc3

v1.8.0

v1.8.0-rc1

v1.9.0

v1.9.0-rc1

v1.9.0-rc2

v1.9.1

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-43965.json"