Gleam Path Traversal Vulnerability in Dependency Management Allows Arbitrary Directory Deletion

A path traversal vulnerability has been identified in Gleam's dependency management system, specifically in versions 0.18.0-rc1 prior to 1.17.0. This vulnerability allows for arbitrary directory deletion through malicious content in the 'build/packages/packages.toml' file. The issue arises because package keys from this file are read without validation and used to construct filesystem paths. These paths can then be exploited to delete directories outside the intended 'build/packages/' directory. Both absolute paths and relative traversal sequences are accepted as package keys, enabling the deletion of arbitrary directories on the victim's system.

Impact

Exploitation of this vulnerability leads to the recursive deletion of arbitrary directories on the victim's machine, which could include important files such as source code, configuration, or personal data. This deletion occurs without any user notification or confirmation.

Reproduction

To reproduce this vulnerability, create a Gleam project and include a malicious 'build/packages/packages.toml' file with a package key that specifies an absolute path or a relative traversal sequence. Afterward, run the 'gleam deps download' command. The specified directory will be recursively deleted.

Remediation

Users can upgrade to Gleam version 1.17.0 or later, where this vulnerability has been patched.