Plattform
python
Komponente
copier
Behoben in
9.9.2
9.9.1
CVE-2025-55201 describes an Arbitrary File Access vulnerability within Copier, a Python-based project generator. This flaw allows attackers to bypass intended security restrictions within Jinja templates, potentially leading to unauthorized file access. Versions of Copier prior to 9.9.1 are affected, and a fix has been released in version 9.9.1.
The vulnerability stems from insufficient security measures within Copier's Jinja templating system. While Copier attempts to restrict file access through the {% include ... %} directive, limitations in Jinja extensions and custom configurations can be exploited. An attacker could craft a malicious template that bypasses these restrictions, enabling them to read arbitrary files from the system. The potential data at risk includes configuration files, source code, and any other sensitive information accessible through the filesystem. Lateral movement is unlikely directly from this vulnerability, but successful file access could reveal credentials or other information that facilitates further attacks.
This CVE was publicly disclosed on 2025-08-18. No public proof-of-concept (PoC) code has been identified as of this date. The vulnerability is not currently listed on CISA KEV. The EPSS score is pending evaluation, but the potential for arbitrary file access suggests a medium to high probability of exploitation if templates are sourced from untrusted origins.
Organizations and developers using Copier for project generation, particularly those relying on custom Jinja extensions or templates from untrusted sources, are at risk. Shared hosting environments where multiple users utilize Copier could also be vulnerable if templates are not properly isolated.
• python / project-generator:
import os
import subprocess
def check_copier_version():
try:
result = subprocess.run(['copier', '--version'], capture_output=True, text=True, check=True)
version = result.stdout.strip()
if version <= '9.9.0':
print(f"Copier version is vulnerable: {version}")
else:
print(f"Copier version is patched: {version}")
except FileNotFoundError:
print("Copier is not installed.")
except subprocess.CalledProcessError as e:
print(f"Error checking Copier version: {e}")
check_copier_version()• generic web: Check Copier configuration files for references to custom Jinja extensions or potentially unsafe template features.
disclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
The primary mitigation is to upgrade Copier to version 9.9.1 or later, which addresses the vulnerability by strengthening Jinja template security. If an immediate upgrade is not feasible, consider implementing stricter controls on template sources. Carefully review and validate all templates used by Copier, ensuring they do not utilize potentially unsafe Jinja extensions or custom configurations. Implement a Web Application Firewall (WAF) with rules to detect and block requests containing malicious Jinja code. Monitor Copier logs for unusual file access patterns or attempts to execute unauthorized commands. After upgrade, confirm by attempting to access a restricted file via a crafted template and verifying access is denied.
Actualice la biblioteca Copier a la versión 9.9.1 o superior. Esto solucionará la vulnerabilidad de lectura/escritura arbitraria de archivos. Puede actualizar usando `pip install --upgrade copier`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-55201 is a HIGH severity vulnerability in Copier versions ≤9.9.0 that allows attackers to bypass Jinja template restrictions and read arbitrary files.
You are affected if you are using Copier version 9.9.0 or earlier. Upgrade to version 9.9.1 to mitigate the vulnerability.
Upgrade to Copier version 9.9.1. As a temporary workaround, restrict template sources and disable unsafe Jinja features.
There are currently no reports of active exploitation, but the vulnerability is publicly known.
Refer to the Copier project's official documentation and release notes for updates and advisories regarding CVE-2025-55201.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.