Plattform
javascript
Komponente
ferret
Behoben in
2.0.1
CVE-2026-34783 describes a Path Traversal vulnerability discovered in Ferret, a declarative system for web data processing. This flaw allows malicious websites to write arbitrary files to the system running Ferret, potentially enabling remote code execution. The vulnerability affects versions 0.0.0 up to, but not including, 2.0.0-alpha.4, and a fix is available in version 2.0.0-alpha.4.
The core of the vulnerability lies in Ferret's IO::FS::WRITE function. When scraping websites, Ferret typically uses filenames returned by the website to construct output paths. An attacker can craft a malicious website that returns filenames containing ../ sequences. Ferret, without proper sanitization, will then use these manipulated filenames to write files to arbitrary locations on the system. This allows an attacker to overwrite critical system files, such as cron jobs, SSH authorized keys, or shell profiles, leading to complete system compromise. The potential for remote code execution is significant, as an attacker can inject malicious code into these files, which will then be executed by the system.
This vulnerability was publicly disclosed on 2026-04-06. There is currently no indication of active exploitation campaigns. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.1 (HIGH) reflects the potential for significant impact.
Developers and organizations using Ferret for web scraping and data extraction are at risk. Specifically, those relying on untrusted external data sources without proper input validation are particularly vulnerable. Shared hosting environments where multiple users may be running Ferret scripts could also be affected, as an attacker could potentially compromise the entire host.
• javascript / node.js:
// Check for Ferret version
const ferretVersion = require('ferret').version;
console.log(`Ferret version: ${ferretVersion}`);
// If version < 2.0.0-alpha.4, the system is vulnerable.• generic web:
# Check for suspicious file writes in logs
grep -r "../" /var/log/ferret/*disclosure
Exploit-Status
EPSS
0.17% (38% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade Ferret to version 2.0.0-alpha.4 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation on the filenames received from the scraped website. Specifically, sanitize any filenames containing ../ sequences before using them to construct output paths. A Web Application Firewall (WAF) could also be configured to block requests containing suspicious filenames. While a direct detection signature is difficult to create, monitoring file system activity for unexpected writes to sensitive locations (e.g., /etc/cron.d/, ~/.ssh/authorized_keys) can provide an early warning sign.
Actualice a la versión 2.0.0-alpha.4 o posterior para mitigar la vulnerabilidad de recorrido de ruta. Asegúrese de que las rutas de salida se validen adecuadamente para evitar la inyección de rutas maliciosas. Revise el código para identificar y corregir cualquier instancia donde los nombres de archivo proporcionados por el usuario se utilicen para construir rutas de archivo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34783 is a Path Traversal vulnerability in Ferret versions 0.0.0 through 2.0.0-alpha.3, allowing attackers to write arbitrary files to the system.
You are affected if you are using Ferret versions 0.0.0 through 2.0.0-alpha.3 and are scraping data from untrusted sources.
Upgrade to Ferret version 2.0.0-alpha.4 or later. As a temporary workaround, sanitize filenames received from external sources to remove ../ sequences.
There is currently no indication of active exploitation campaigns targeting CVE-2026-34783.
Refer to the Ferret project's official release notes and security advisories for details: [https://ferret.rs/](https://ferret.rs/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.