Poetry Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability has been identified in Poetry, a Python dependency manager, affecting versions 1.4.0 prior to 2.3.3. The issue arises because a crafted wheel can include ../ paths that Poetry writes to disk without proper containment checks. This flaw allows arbitrary file writes with the privileges of the Poetry process. The vulnerability can be exploited using untrusted package artifacts during regular installation processes. While installing a malicious wheel alone does not execute harmful code, such execution may occur if the imported package is invoked by the user.

Impact

The vulnerability allows arbitrary file writes, with the potential to overwrite existing files or create new ones in locations accessible to the user running the Poetry process. This could lead to the execution of malicious code if the written files are imported or executed as part of a Python application.

Reproduction

To reproduce this vulnerability, create a wheel file that includes a path traversal payload, such as a file named '../../traversal.txt'. When this wheel is installed using Poetry, the file will be written outside the intended directory, demonstrating the path traversal flaw.

Remediation

Users can upgrade to Poetry version 2.3.3 or later, which resolves the vulnerability by ensuring that target paths are properly validated before writing. Instructions for downloading the latest version of Poetry are available on the Poetry GitHub Releases page.