Platform
javascript
Component
ferret
Fixed in
2.0.1
CVE-2026-34783 describes a Path Traversal vulnerability discovered in Ferret, a declarative system for web data processing. This flaw allows malicious websites to write arbitrary files to the system running Ferret, potentially enabling remote code execution. The vulnerability affects versions 0.0.0 up to, but not including, 2.0.0-alpha.4, and a fix is available in version 2.0.0-alpha.4.
The core of the vulnerability lies in Ferret's IO::FS::WRITE function. When scraping websites, Ferret typically uses filenames returned by the scraped site to determine where to save data. An attacker can craft a website that returns filenames containing ../ sequences. Ferret, without proper sanitization, will interpret these sequences as directory traversal instructions, allowing the attacker to write files outside of the intended output directory. This could involve overwriting critical system files like cron job scripts, SSH authorized keys, or shell profiles. Successful exploitation could lead to complete system compromise, allowing the attacker to execute arbitrary code with the privileges of the Ferret process.
This vulnerability was publicly disclosed on 2026-04-06. There is currently no indication of active exploitation campaigns targeting Ferret. The vulnerability's impact is significant due to the potential for remote code execution, but the relatively niche usage of Ferret may limit its immediate exposure. No KEV listing is currently available.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
The primary mitigation is to upgrade to Ferret version 2.0.0-alpha.4 or later, which includes the necessary fix to prevent path traversal. If upgrading immediately is not feasible, consider implementing input validation to sanitize filenames received from external sources. Specifically, strip or reject any filenames containing ../ sequences before passing them to Ferret’s IO::FS::WRITE function. While a WAF might offer some protection, it's unlikely to be effective against this type of vulnerability as it occurs within the application logic. After upgrading, verify the fix by attempting to scrape a website designed to trigger the path traversal vulnerability and confirm that files are not written to unintended locations.
Actualice a la versión 2.0.0-alpha.4 o posterior para mitigar la vulnerabilidad de recorrido de ruta. Asegúrese de que las rutas de salida se validen adecuadamente para evitar la inyección de rutas maliciosas. Revise el código para identificar y corregir cualquier instancia donde los nombres de archivo proporcionados por el usuario se utilicen para construir rutas de archivo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34783 is a Path Traversal vulnerability in Ferret versions 0.0.0 through 2.0.0-alpha.3, allowing attackers to write arbitrary files to the system.
You are affected if you are using Ferret versions 0.0.0 through 2.0.0-alpha.3 and are scraping data from untrusted sources.
Upgrade to Ferret version 2.0.0-alpha.4 or later. As a temporary workaround, sanitize filenames received from external sources to remove ../ sequences.
There is currently no indication of active exploitation campaigns targeting CVE-2026-34783.
Refer to the Ferret project's official release notes and security advisories for details: [https://ferret.rs/](https://ferret.rs/)
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.