Nixpkgs security tracker
NIXPKGS-2026-1201
GitHub issue
published 2 months ago
Permalink
CVE-2026-28684
6.6 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Users should upgrade to v.1.2.2 or, as a workaround, apply the patch manually.
References
-
https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94 x_refsource_CONFIRMexploit
Ignored references (1)
-
https://github.com/theskumar/python-dotenv/releases/tag/v1.2.2 x_refsource_MISC
Affected products
python-dotenv
- ==< 1.2.2
Matching in nixpkgs
pkgs.python312Packages.python-dotenv
None
pkgs.python313Packages.python-dotenv
Add .env support to your django/flask apps in development and deployments
pkgs.python314Packages.python-dotenv
Add .env support to your django/flask apps in development and deployments
Package maintainers
-
@erikarvstedt Erik Arvstedt <erik.arvstedt@gmail.com>