AIKIDO-2026-10491
poetry is vulnerable to Path Traversal
46
Medium Risk
This Affects:
poetryTL;DR
Affected versions of this package are vulnerable to path traversal during source distribution (sdist) extraction due to insufficient validation of file paths within archive contents. The extraction logic processes file entries from downloaded tarballs without properly sanitizing or restricting traversal sequences such as ../, allowing crafted archives to write files outside the intended target directory. An attacker able to supply a malicious package archive can exploit this behavior to overwrite arbitrary files on the filesystem during installation, potentially leading to code execution or compromise of the host environment. Note that a path traversal during sdist extraction is not as critical as it might seem because after extracting the sdist the project is built, which may result in arbitrary code execution by design.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
poetry is vulnerable to Path Traversal in versions 1.7.0 - 2.3.3.
How to fix this
Upgrade the poetry library to a patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant