CVE-2025-8917 MEDIUM

CVE-2025-8917: Path Traversal Leading to Remote Code Execution in allegroai/clearml

Vendor Allegroai
Product allegroai/clearml
Weakness CWE-22 · Path traversal
Published October 5, 2025
Last update October 6, 2025

CVSS base score

5.8/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A vulnerability in allegroai/clearml version v2.0.1 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract` function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execution if critical files are overwritten.

Key dates

02Disclosure timeline

October 5, 2025 CVE published
October 6, 2025 Record updated

Related vulnerabilities

04Related CVE