Plateforme
python
Composant
dbt-common
Corrigé dans
1.37.4
1.34.3
1.34.2
A path traversal vulnerability has been identified in the safe_extract() function within dbt-common versions up to 1.9.0. This flaw allows attackers to potentially write files to unintended locations during the extraction of tarball archives, bypassing intended directory restrictions. The vulnerability stems from an inadequate path validation mechanism, allowing malicious tarballs to exploit this weakness. Affected users should upgrade to version 1.34.2 to resolve this issue.
The core of the vulnerability lies in the os.path.commonprefix() function used by safeextract(). Instead of comparing path components, it compares paths character-by-character. This allows a carefully crafted tarball to include file paths that, while sharing a common prefix with the intended destination directory (e.g., /tmp/packages), ultimately write files to sibling directories. For instance, a malicious tarball could write files to /tmp/pac/maliciousfile.txt despite the intended extraction path being /tmp/packages. This could lead to arbitrary file writes, potentially overwriting critical system files or injecting malicious code, depending on the permissions of the user running the dbt process.
This vulnerability was publicly disclosed on March 5, 2026. Currently, there are no known public proof-of-concept exploits available. The CVSS score is 2.5 (LOW), indicating a relatively low probability of exploitation. It is not listed on the CISA KEV catalog at the time of writing.
Organizations using dbt-common in their data transformation pipelines are at risk, particularly those who accept tarball archives from untrusted sources. Shared hosting environments where multiple users have access to the dbt environment are also at increased risk, as a compromised user could potentially exploit this vulnerability to affect other users.
• python / dbt: Inspect dbt-common version using python -c "import dbtcommon; print(dbtcommon.version)". If the version is ≤1.9.0, the system is vulnerable.
• python / dbt: Monitor dbt logs for any unusual file creation activity within the extraction directory (e.g., /tmp/packages).
• generic web: If dbt is exposed via a web interface, monitor access logs for requests containing suspicious file paths in the tarball archive URL.
disclosure
Statut de l'Exploit
EPSS
0.07% (percentile 22%)
CISA SSVC
The primary mitigation is to upgrade dbt-common to version 1.34.2 or later, which contains the fix for this vulnerability. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider restricting the source of tarball archives to trusted locations. Implement strict file permission controls on the extraction directory to limit the potential impact of a successful exploit. Review and audit any custom extraction logic to ensure robust path validation. After upgrading, verify the fix by attempting to extract a known malicious tarball (if available) and confirming that files are not written outside the intended destination directory.
Actualice la biblioteca dbt-common a la versión 1.34.2 o superior, o a la versión 1.37.3 o superior, según corresponda, para corregir la vulnerabilidad de path traversal. Esto evitará que archivos maliciosos sobrescriban archivos fuera del directorio de destino previsto durante la extracción de archivos tarball.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-29790 is a Path Traversal vulnerability affecting dbt-common versions up to 1.9.0, allowing attackers to write files outside the intended extraction directory.
You are affected if you are using dbt-common version 1.9.0 or earlier. Check your version with python -c "import dbtcommon; print(dbtcommon.version)".
Upgrade dbt-common to version 1.34.2 or later to resolve the vulnerability. If immediate upgrade is not possible, restrict tarball sources and implement strict file permissions.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the fix proactively.
Refer to the dbt project's security advisories for the latest information and updates regarding CVE-2026-29790.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.