CVE-2026-42795

June 2, 2026, 4:16 p.m.

5.1
Medium

Description

Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package. An attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact. This issue affects Gleam from 0.10.0-rc1 until 1.17.0.

Product(s) Impacted

Vendor Product Versions
Gleam
  • Gleam
  • 0.10.0-1.17.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-59
Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a gleam gleam 0.10.0-1.17.0 / / / / / / /

References

https://cna.erlef.org/cves/CVE-2026-42795.html
https://github.com/gleam-lang/gleam/commit/6435a5528b9ae0449e2f32be579641ec485f6866
https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc
https://osv.dev/vulnerability/EEF-CVE-2026-42795
https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc

Tags

CWE-59
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
2026-06-02
CVE-2026-42795

CVSS Score

5.1 / 10

CVSS Data - 4.0

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: LOW
  • User Interaction: ACTIVE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 2, 2026, 2:16 p.m.
Last Modified: June 2, 2026, 4:16 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

6b3ad84c-e1a6-4bf7-a703-f496b71e49db

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.