python-dotenv Symlink Following in set_key Allows Arbitrary File Overwrite via Cross-Device Rename Fallback

A vulnerability in python-dotenv prior to version 1.2.2 allows for arbitrary file overwriting through symbolic link manipulation. The issue arises in the 'set_key()' and 'unset_key()' functions, which follow symlinks when rewriting '.env' files. This behavior can be exploited by a local attacker to overwrite files via a crafted symlink, particularly when a cross-device rename fallback is triggered. The vulnerability requires the application to have write access to the directory containing the target file, and for the '.env' file to be a symlink pointing to a writable file on the same device.

Impact

Exploitation of this vulnerability can lead to unauthorized overwriting of files, potentially corrupting or destroying important configuration data. In cases where the application or process has elevated privileges, this could also result in writing to files outside of the user's normal access rights, with a risk of privilege escalation.

Reproduction

The vulnerability can be reproduced by creating a symlink to a target file in a directory where the application has write access. When 'set_key()' or 'unset_key()' is called, the symlink will be followed, and the target file will be overwritten with the new '.env' content. This requires the temporary file operations to cross device boundaries, which is common on Linux systems.

Remediation

Users are advised to upgrade to python-dotenv version 1.2.2, where this vulnerability has been addressed. Instructions for applying the patch manually are also available.