{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-55214", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-08-08T21:55:07.967Z", "datePublished": "2025-08-18T16:36:46.621Z", "dateUpdated": "2025-08-18T19:47:31.803Z"}, "containers": {"cna": {"title": "Copier safe template has filesystem write access outside destination path", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/copier-org/copier/security/advisories/GHSA-p7q8-grrj-3m8w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-p7q8-grrj-3m8w"}, {"name": "https://github.com/copier-org/copier/commit/fdbc0167cc22780b497e4db176feaf6f024757d6", "tags": ["x_refsource_MISC"], "url": "https://github.com/copier-org/copier/commit/fdbc0167cc22780b497e4db176feaf6f024757d6"}], "affected": [{"vendor": "copier-org", "product": "copier", "versions": [{"version": ">= 7.1.0, < 9.9.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-18T16:36:46.621Z"}, "descriptions": [{"lang": "en", "value": "Copier library and CLI app for rendering project templates. From 7.1.0 to before 9.9.1, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write files outside the destination path where a project shall be generated or updated. This is possible when rendering a generated directory structure whose rendered path is either a relative parent path or an absolute path. Constructing such paths is possible using Copier's builtin pathjoin Jinja filter and its builtin _copier_conf.sep variable, which is the platform-native path separator. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. This vulnerability is fixed in 9.9.1."}], "source": {"advisory": "GHSA-p7q8-grrj-3m8w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-18T19:46:44.392978Z", "id": "CVE-2025-55214", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T19:47:31.803Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-55214", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-18T19:46:44.392978Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T19:46:57.846Z"}}], "cna": {"title": "Copier safe template has filesystem write access outside destination path", "source": {"advisory": "GHSA-p7q8-grrj-3m8w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "copier-org", "product": "copier", "versions": [{"status": "affected", "version": ">= 7.1.0, < 9.9.1"}]}], "references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-p7q8-grrj-3m8w", "name": "https://github.com/copier-org/copier/security/advisories/GHSA-p7q8-grrj-3m8w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/copier-org/copier/commit/fdbc0167cc22780b497e4db176feaf6f024757d6", "name": "https://github.com/copier-org/copier/commit/fdbc0167cc22780b497e4db176feaf6f024757d6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Copier library and CLI app for rendering project templates. From 7.1.0 to before 9.9.1, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write files outside the destination path where a project shall be generated or updated. This is possible when rendering a generated directory structure whose rendered path is either a relative parent path or an absolute path. Constructing such paths is possible using Copier's builtin pathjoin Jinja filter and its builtin _copier_conf.sep variable, which is the platform-native path separator. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. This vulnerability is fixed in 9.9.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-18T16:36:46.621Z"}}}, "cveMetadata": {"cveId": "CVE-2025-55214", "state": "PUBLISHED", "dateUpdated": "2025-08-18T19:47:31.803Z", "dateReserved": "2025-08-08T21:55:07.967Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-18T16:36:46.621Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Copier library and CLI app for rendering project templates. From 7.1.0 to before 9.9.1, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write files outside the destination path where a project shall be generated or updated. This is possible when rendering a generated directory structure whose rendered path is either a relative parent path or an absolute path. Constructing such paths is possible using Copier's builtin pathjoin Jinja filter and its builtin _copier_conf.sep variable, which is the platform-native path separator. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. This vulnerability is fixed in 9.9.1."}, {"lang": "es", "value": "Librer\u00eda Copier y aplicaci\u00f3n CLI para renderizar plantillas de proyecto. Desde la versi\u00f3n 7.1.0 hasta la 9.9.1, Copier sugiere que es seguro generar un proyecto a partir de una plantilla segura, es decir, una que no utilice funciones inseguras como extensiones personalizadas de Jinja, que requerir\u00edan el indicador --UNSAFE,--trust. Resulta que, actualmente, una plantilla segura puede escribir archivos fuera de la ruta de destino donde se generar\u00e1 o actualizar\u00e1 un proyecto. Esto es posible al renderizar una estructura de directorios generada cuya ruta renderizada es una ruta principal relativa o una ruta absoluta. Estas rutas se pueden construir mediante el filtro pathjoin de Jinja integrado de Copier y su variable _copier_conf.sep integrada, que es el separador de rutas nativo de la plataforma. De esta forma, un creador de plantillas malintencionado puede crear una plantilla que sobrescriba archivos arbitrarios (seg\u00fan los permisos de escritura del usuario), por ejemplo, para causar problemas. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 9.9.1."}], "id": "CVE-2025-55214", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-18T17:15:30.310", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/copier-org/copier/commit/fdbc0167cc22780b497e4db176feaf6f024757d6"}, {"source": "security-advisories@github.com", "url": "https://github.com/copier-org/copier/security/advisories/GHSA-p7q8-grrj-3m8w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-08-18T21:20:45.118307+00:00", "updated": "2025-08-18T21:20:45.118375+00:00", "vendors": ["copier-org", "copier-org$PRODUCT$copier"]}