GHSA-r887-gfxh-m9rr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r887-gfxh-m9rr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-r887-gfxh-m9rr/GHSA-r887-gfxh-m9rr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r887-gfxh-m9rr
- Aliases
- Related
- Published
- 2023-02-08T18:07:16Z
- Modified
- 2026-03-13T22:01:04.184652Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- mrpack-install vulnerable to path traversal with dependency
- Details
-
Impact
Importing a malicious
.mrpackfile can cause path traversal while downloading files. This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.Patches
No patches yet.
Workarounds
Avoid importing
.mrpackfiles from untrusted sources.References
https://docs.modrinth.com/docs/modpacks/format_definition/#files
- Database specific
{ "cwe_ids": [ "CWE-22" ], "github_reviewed_at": "2023-02-08T18:07:16Z", "nvd_published_at": "2023-06-26T15:15:09Z", "severity": "HIGH", "github_reviewed": true }- References
-
- https://github.com/nothub/mrpack-install/security/advisories/GHSA-r887-gfxh-m9rr
- https://nvd.nist.gov/vuln/detail/CVE-2023-25307
- https://github.com/nothub/mrpack-install/commit/a1f424b6a616d2de95228781eef3b92b9769f23c
- https://github.com/nothub/mrpack-install
- https://github.com/nothub/mrpack-install/releases/tag/v0.16.3
- https://quiltmc.org/en/blog/2023-02-04-five-installer-vulnerabilities
Affected packages
Go / github.com/nothub/mrpack-install
Package
- Name
- github.com/nothub/mrpack-install
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/nothub/mrpack-install