5.8

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-8917

GHSA ID

GHSA-579p-qf78-fqm2

EPSS Score

0.03053%

CWE

CWE-22

Published

10/5/2025

Updated

10/7/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-8917

CVE-2025-8917: clearml is vulnerable to Path Traversal through its `safe_extract` function

A vulnerability in clearml versions before 2.0.2 allows for path traversal due to improper handling of symbolic and hard links in the safe_extract function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execution if critical files are overwritten.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-8917

CVE-2025-8917:

5.8

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-8917

GHSA ID

GHSA-579p-qf78-fqm2

EPSS Score

0.03053%

CWE

CWE-22

Published

10/5/2025

Updated

10/7/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
clearml	pip	< 2.0.2	2.0.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided commit 64fb2bcbdbb87a74af90dd723d5ef4a99fceeb73 clearly indicates that the safe_extract function in clearml/storage/util.py was vulnerable. The patch introduces specific checks for symbolic and hard links (issym and islnk) within a tar archive before extraction. The added code verifies that the link target does not point outside the intended extraction directory. The absence of these checks in the original code is the root cause of the path traversal vulnerability (CVE-2025-8917). Therefore, any runtime profile of an exploitation attempt would show the safe_extract function being called to process the malicious archive.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-8917: clearml is vulnerable to Path Traversal through its `safe_extract` function

CVE-2025-8917:

5.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.8

5.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

CVE-2025-8917: clearml is vulnerable to Path Traversal through its `safe_extract` function

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI