copier is vulnerable to Path Traversal
81
High Risk
Copier's trust setting matches a template URL against a trusted prefix in copier/_settings.py after normalizing it with posixpath.normpath, but it does not percent-decode the URL first. A template reference using percent-encoded dot segments (%2e%2e), encoded separators (%2f), or backslashes (%5c or literal \) can therefore textually match a trusted prefix while the HTTP/Git layer resolves it to a different, attacker-controlled location. Because trust is granted, the untrusted template's tasks, migrations, and jinja_extensions run without the trust prompt, allowing arbitrary command execution. The fix percent-decodes the URL and folds backslashes to / before normalization and the trust comparison.
You are affected if you are using a version that falls within the vulnerable range and you have configured a trusted template URL prefix.
copier is vulnerable to Path Traversal in versions 9.15.2 - 9.16.0.
Upgrade the copier library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant