Intel

AIKIDO-2026-624912

awscli is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

59

Medium Risk

This Affects:

PYTHONawscli
1.12.0 - 1.45.17
Fixed in 1.45.18
Are you affected? Scan for Free

TL;DR

awscli guards S3 downloads against object keys that escape the destination directory by warning and skipping any key that references a parent directory. The escape check normalizes the compare key without anchoring it to the destination root, so a key with a leading slash such as /../foo collapses the parent segment and slips past the check. Downloading or syncing from a bucket that contains such crafted keys then writes files outside the intended destination directory. The fix anchors the key against the destination root before normalization so leading-slash parent references are correctly detected and skipped.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you download or sync objects from an untrusted S3 bucket whose object keys can be attacker-controlled.

Background info

awscli is vulnerable to Path Traversal in versions 1.12.0 - 1.45.17.

How to fix this

Upgrade the awscli library to the patch version.