CVE-2025-8406 MEDIUM

CVE-2025-8406: Path Traversal in zenml-io/zenml

Vendor Zenml-Io
Product zenml-io/zenml
Weakness CWE-22 · Path traversal
Published October 5, 2025
Last update October 6, 2025

CVSS base score

6.3/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.

Key dates

02Disclosure timeline

October 5, 2025 CVE published
October 6, 2025 Record updated