-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| keras | pip | <= 3.7.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper path validation during tar file extraction. The extract_archive function (called by get_file) uses filter_safe_paths to validate archive members. However, filter_safe_paths checks paths against resolve_path('.') (current working directory) instead of the actual extraction directory. This allows crafted tar entries with '../' sequences to escape the target directory. The GHSA/CVE explicitly references line 115 in file_utils.py where extract_archive calls extractall with this flawed validation, confirming this as the root cause.