6.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-8406

GHSA ID

GHSA-q92x-2x5g-h365

EPSS Score

0.00886%

CWE

CWE-22

Published

10/5/2025

Updated

10/7/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-8406

CVE-2025-8406: ZenML is vulnerable to Path Traversal through its `PathMaterializer` class

ZenML version 0.83.1 is affected by a path traversal vulnerability in the PathMaterializer class. The load function uses is_path_within_directory to validate files during data.tar.gz extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.

(GitHub Advisory)

6.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-8406

GHSA ID

GHSA-q92x-2x5g-h365

EPSS Score

0.00886%

CWE

CWE-22

Published

10/5/2025

Updated

10/7/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zenml	pip	>= 0.81.0, < 0.84.2	0.84.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the PathMaterializer.load function in ZenML. The provided patch 5d22a48d7bf6c7f10b748577c2be79cc7969d398 clearly shows the vulnerability and its fix. The load function is responsible for loading data from a tar archive. The vulnerability description states that the is_path_within_directory function was used to validate file paths during extraction, but it failed to handle symbolic and hard links correctly. The patch confirms this by introducing a new function, _is_safe_tar_member, which explicitly checks for symbolic and hard links (member.issym() or member.islnk()) and validates their linkname. The load function was modified to use this new, safer function. Therefore, the PathMaterializer.load function is the vulnerable function as it was the one performing the unsafe extraction.

Vulnerable functions

PathMaterializer.load

src/zenml/materializers/path_materializer.py

The `load` function in the `PathMaterializer` class was vulnerable to path traversal. Before the patch, it would extract files from a tar archive (`data.tar.gz`) by checking if the member's name was within the target directory using `is_path_within_directory`. However, this check was insufficient as it did not validate the target path for symbolic or hard links within the archive. A malicious user could craft a tar archive containing a symbolic or hard link that points to a location outside of the intended extraction directory, leading to arbitrary file writes when the `load` function is called.

WAF Protection Rules

WAF Rule

Z*nML v*rsion *.**.* is *****t** *y * p*t* tr*v*rs*l vuln*r**ility in t** `P*t*M*t*ri*liz*r` *l*ss. T** `lo**` *un*tion us*s `is_p*t*_wit*in_*ir**tory` to v*li**t* *il*s *urin* `**t*.t*r.*z` *xtr**tion, w*i** **ils to *****tiv*ly **t**t sym*oli* *n*

Reasoning

T** vuln*r**ility li*s in t** `P*t*M*t*ri*liz*r.lo**` *un*tion in Z*nML. T** provi*** p*t** `****************************************` *l**rly s*ows t** vuln*r**ility *n* its *ix. T** `lo**` *un*tion is r*sponsi*l* *or lo**in* **t* *rom * t*r *r**iv*

6.3

Basic Information

Concerned about an active attack path?

CVE-2025-8406: ZenML is vulnerable to Path Traversal through its `PathMaterializer` class

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI