AIKIDO-2025-10959
PyMuPDF is vulnerable to Path Traversal
65
Medium Risk
This Affects:
PyMuPDFTL;DR
Affected versions of this package are vulnerable to Path Traversal because the embedded_get functionality does not properly sanitize the user-controlled path parameter. This allows an attacker to craft a path containing directory traversal sequences, potentially causing files to be written outside the intended working directory or to overwrite existing files. The issue is mitigated by introducing stricter path validation: by default, the command now refuses to write to an existing file or to any location outside the current directory. Writing outside these constraints is only possible when explicitly allowed via the -output option or the newly introduced -unsafe flag, making the security impact opt-in and explicit.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
PyMuPDF is vulnerable to Path Traversal in versions 0.23.0 - 1.26.6.
How to fix this
Upgrade the PyMuPDF library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant