PyMuPDF Path Traversal and Arbitrary File Write Vulnerability

A path traversal vulnerability allowing arbitrary file writes has been identified in PyMuPDF version 1.26.5. This issue arises in the embedded 'get' function within '_main_.py'. The vulnerability allows for writing files outside of the intended directory, potentially overwriting existing files.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes, including overwriting existing files, which could disrupt normal application operations or cause data loss.

Reproduction

The vulnerability can be reproduced by using the 'pymupdf embed-extract' command without the '-unsafe' flag. The command will refuse to write to an existing file or outside the current directory, demonstrating the vulnerability's impact on file handling. However, when the '-unsafe' flag is used, the command will overwrite files or write outside the current directory, bypassing the safety checks.

Remediation

Users can update to PyMuPDF version 1.27.2.2, which addresses this vulnerability by improving the safety of the 'embed-extract' command. The updated version is available on the PyMuPDF GitHub repository.