CVE-2025-58438: Directory Traversal in internetarchive
Platform
python
Component
internetarchive
Fixed in
5.5.2
5.5.1
CVE-2025-58438 represents a critical directory traversal vulnerability discovered in the internetarchive Python library. This flaw allows attackers to potentially read arbitrary files on the system, posing a significant security risk. Versions of the library prior to 5.5.1 are affected, and a fix has been released.
Detect this CVE in your project
Upload your requirements.txt file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The internetarchive library's file.download() method is vulnerable to path traversal due to insufficient sanitization of user-supplied filenames. An attacker could craft a malicious filename that, when processed by the library, leads to the download of files outside the intended directory. This could allow them to access sensitive system files, configuration data, or even execute arbitrary code if the downloaded file is then processed by another application. The vulnerability is particularly concerning on Windows systems, but affects all operating systems where the library is used. Successful exploitation could lead to complete system compromise.
Exploitation Context
This vulnerability has a high potential for exploitation due to its critical severity and the ease with which directory traversal vulnerabilities can be exploited. As of the publication date (2025-09-05), no public proof-of-concept exploits have been released, but the vulnerability is likely to be targeted. Its inclusion in the NVD and CISA advisories indicates a high level of concern within the cybersecurity community. The EPSS score is likely to be assessed as medium to high, reflecting the potential for widespread exploitation.
Threat Intelligence
Exploit Status
EPSS
1.62% (82% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-58438 is to upgrade the internetarchive library to version 5.5.1 or later. If upgrading is not immediately feasible, consider implementing strict input validation on any filenames passed to the file.download() method. This should include whitelisting allowed characters and preventing the use of directory traversal sequences (e.g., ../). While a WAF or proxy is unlikely to directly mitigate this vulnerability, it could be configured to monitor for suspicious file download requests. After upgrading, confirm the fix by attempting to download a file using a crafted filename containing directory traversal sequences; the download should fail with an appropriate error.
How to fix
Update the internetarchive library to version 5.5.1 or higher. This corrects the path traversal vulnerability in the file.download() method. You can update using pip: `pip install internetarchive==5.5.1`.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-58438 — Directory Traversal in internetarchive?
CVE-2025-58438 is a critical directory traversal vulnerability in the internetarchive Python library, allowing attackers to potentially read arbitrary files.
Am I affected by CVE-2025-58438 in internetarchive?
Yes, if you are using the internetarchive library in versions less than 5.5.1, you are affected by this vulnerability.
How do I fix CVE-2025-58438 in internetarchive?
Upgrade the internetarchive library to version 5.5.1 or later. Implement strict input validation on filenames if immediate upgrade is not possible.
Is CVE-2025-58438 being actively exploited?
While no public exploits are currently known, the vulnerability's critical severity suggests it is likely to be targeted.
Where can I find the official internetarchive advisory for CVE-2025-58438?
Refer to the internetarchive project's release notes and security advisories on their official website or GitHub repository.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.