aikido.dev Secure My Code

Intel/AIKIDO-2025-10536

AIKIDO-2025-10536

zenml is vulnerable to Path Traversal

Path TraversalCVE-2025-8406 Published Aug 8, 2025

82

High Risk

This Affects:

python

0.0.1 - 0.84.1

Fixed in 0.84.2

Are you affected? Scan for Free

TL;DR

Affected versions of the package are vulnerable to path traversal attacks due to insufficient validation in the PathMaterializer:load function. While the implementation checks whether the member name resides within the intended directory before extraction, it fails to properly validate the target paths of symbolic and hard links. This oversight allows attackers to craft archive entries that escape the destination directory, potentially leading to arbitrary file overwrite or unauthorized file access.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

zenml is vulnerable to Path Traversal in versions 0.0.1 - 0.84.1.

How to fix this

Upgrade the zenml library to the patch version.

82

High Risk

This Affects:

python

0.0.1 - 0.84.1

Fixed in 0.84.2

Are you affected? Scan for Free

Links

Fix Commit

github.com/zenml-io/zenml/commit/5d22a48d7bf6c7f10b748577c2be79cc7969d398

Other

github.com/zenml-io/zenml/blob/main/RELEASE_NOTES.md

huntr.com/bounties/a0880d64-9928-45bf-9663-2cd81582d9e7

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Free. No credit card required.

Aikido Platform

Company

Resources

Industries

Use Cases

Compare

Legal

Connect

hello@aikido.dev

Security

Subscribe

Stay up to date with all updates

LinkedIn YouTube X

© 2026 Aikido Security BV | BE0792914919

Keizer Karelstraat 15, 9000, Ghent, Belgium

95 Third St, 2nd Fl, San Francisco, CA 94103, US

Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK

Ghent, Belgium | San Francisco, US

SOC 2

ISO 27001

ISO 27001Compliant

Get Security Done