You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /../ sequences that can resolve to a location that is outside of that directory.
Learn more on MITRE.
pyrageuses the Rustagecrate for its underlying operations, andageis vulnerable to GHSA-4fg7-vxc8-qx5w.All details of GHSA-4fg7-vxc8-qx5w are relevant to
pyragefor the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details.Versions of
pyragebefore 1.2.0 lack plugin support and are therefore not affected.An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.
Thanks to ⬡-49016 for reporting this issue.