Platform
python
Component
copier
Opgelost in
9.9.2
9.9.1
CVE-2025-55201 describes an Arbitrary File Access vulnerability within Copier, a Python-based project generator. This flaw allows attackers to bypass intended security restrictions within Jinja templates, potentially leading to unauthorized file access. Versions of Copier prior to 9.9.1 are affected, and a fix has been released in version 9.9.1.
The vulnerability stems from insufficient restrictions on filesystem access through Jinja templating within Copier. While Copier attempts to limit file access using {% include ... %}, attackers can exploit custom Jinja extensions or unsafe features to bypass these limitations. This allows for the reading of arbitrary files on the system, potentially exposing sensitive configuration data, source code, or other critical information. The blast radius depends on the permissions of the user running Copier and the files accessible within the system’s filesystem.
This vulnerability was publicly disclosed on 2025-08-18. No known public proof-of-concept (PoC) exists at this time. The vulnerability is not currently listed on CISA KEV. The severity is assessed as HIGH due to the potential for unauthorized file access, but the lack of a public PoC suggests a lower probability of immediate exploitation.
Organizations and developers using Copier for project generation, particularly those relying on custom Jinja extensions or templates from untrusted sources, are at risk. Shared hosting environments where multiple users utilize Copier could also be vulnerable if templates are not properly isolated.
• python / project-generator:
import os
import subprocess
def check_copier_version():
try:
result = subprocess.run(['copier', '--version'], capture_output=True, text=True, check=True)
version = result.stdout.strip()
if version <= '9.9.0':
print(f"Copier version is vulnerable: {version}")
else:
print(f"Copier version is patched: {version}")
except FileNotFoundError:
print("Copier is not installed.")
except subprocess.CalledProcessError as e:
print(f"Error checking Copier version: {e}")
check_copier_version()• generic web: Check Copier configuration files for references to custom Jinja extensions or potentially unsafe template features.
disclosure
Exploit Status
EPSS
0.04% (12% percentiel)
CISA SSVC
The primary mitigation for CVE-2025-55201 is to upgrade to Copier version 9.9.1 or later, which addresses the vulnerability. If upgrading immediately is not feasible, restrict the sources from which Copier templates are generated to trusted locations. Disable or remove any custom Jinja extensions or unsafe features that might be present in your Copier templates. Carefully review and audit all templates used by Copier to identify and eliminate potential vulnerabilities. After upgrading, confirm the fix by attempting to access files outside of the intended template subtree.
Actualice la biblioteca Copier a la versión 9.9.1 o superior. Esto solucionará la vulnerabilidad de lectura/escritura arbitraria de archivos. Puede actualizar usando `pip install --upgrade copier`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-55201 is a HIGH severity vulnerability in Copier versions ≤9.9.0 that allows attackers to bypass Jinja template restrictions and read arbitrary files.
You are affected if you are using Copier version 9.9.0 or earlier. Upgrade to version 9.9.1 to mitigate the vulnerability.
Upgrade to Copier version 9.9.1. As a temporary workaround, restrict template sources and disable unsafe Jinja features.
There are currently no reports of active exploitation, but the vulnerability is publicly known.
Refer to the Copier project's official documentation and release notes for updates and advisories regarding CVE-2025-55201.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.