psd-tools is vulnerable to Path Traversal
59
Medium Risk
The SmartObject.save() method in psd-tools writes an embedded smart object to a file path taken verbatim from the parsed PSD without sanitization. When an application extracts embedded smart objects from an untrusted PSD, the embedded name can contain an absolute path or ../ traversal sequences, causing file-supplied bytes to be written outside the intended output directory. For external-kind smart objects, the fullPath descriptor is additionally used as an arbitrary read source, so file contents can be copied into the output directory. The fix strips directory components from the embedded name, confines writes to a caller-supplied directory, and constrains external read paths.
You are affected if you are using a version that falls within the vulnerable range and your application extracts embedded smart objects from untrusted PSD files via SmartObject.save().
psd-tools is vulnerable to Path Traversal in versions 0.0.1 - 1.17.0.
Upgrade the psd-tools library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant