Platform
python
Component
copier
Fixed in
9.9.2
9.9.1
CVE-2025-55201 describes an Arbitrary File Access vulnerability within Copier, a Python-based project generator. This flaw allows attackers to bypass intended security restrictions within Jinja templates, potentially leading to unauthorized file access. Versions of Copier prior to 9.9.1 are affected, and a fix has been released in version 9.9.1.
The vulnerability stems from insufficient restrictions on filesystem access through Jinja templating within Copier. While Copier attempts to limit file access using {% include ... %}, attackers can exploit custom Jinja extensions or unsafe features to bypass these limitations. This allows for the reading of arbitrary files on the system, potentially exposing sensitive configuration data, source code, or other critical information. The blast radius depends on the permissions of the user running Copier and the files accessible within the system’s filesystem.
This vulnerability was publicly disclosed on 2025-08-18. No known public proof-of-concept (PoC) exists at this time. The vulnerability is not currently listed on CISA KEV. The severity is assessed as HIGH due to the potential for unauthorized file access, but the lack of a public PoC suggests a lower probability of immediate exploitation.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
The primary mitigation for CVE-2025-55201 is to upgrade to Copier version 9.9.1 or later, which addresses the vulnerability. If upgrading immediately is not feasible, restrict the sources from which Copier templates are generated to trusted locations. Disable or remove any custom Jinja extensions or unsafe features that might be present in your Copier templates. Carefully review and audit all templates used by Copier to identify and eliminate potential vulnerabilities. After upgrading, confirm the fix by attempting to access files outside of the intended template subtree.
Update the Copier library to version 9.9.1 or higher. This will fix the arbitrary file read/write vulnerability. You can update using `pip install --upgrade copier`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-55201 is a HIGH severity vulnerability in Copier versions ≤9.9.0 that allows attackers to bypass Jinja template restrictions and read arbitrary files.
You are affected if you are using Copier version 9.9.0 or earlier. Upgrade to version 9.9.1 to mitigate the vulnerability.
Upgrade to Copier version 9.9.1. As a temporary workaround, restrict template sources and disable unsafe Jinja features.
There are currently no reports of active exploitation, but the vulnerability is publicly known.
Refer to the Copier project's official documentation and release notes for updates and advisories regarding CVE-2025-55201.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.