Nixpkgs security tracker

Dismissed

Permalink CVE-2026-3087

updated 1 week ago by @LeSuisse Activity log

Created suggestion 1 week, 1 day ago
@LeSuisse dismissed 1 week ago

shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

References

https://github.com/python/cpython/pull/146591 patch
https://github.com/python/cpython/issues/146581 issue-tracking
https://mail.python.org/archives/list/security-announce@python.org/thread/X6FXE… vendor-advisory

Affected products

CPython

Matching in nixpkgs

pkgs.haskellPackages.cpython

Bindings for libpython

nixos-unstable 3.9.0
- nixpkgs-unstable 3.9.0
- nixos-unstable-small 3.9.0
nixos-25.11 3.9.0
- nixos-25.11-small 3.9.0
- nixpkgs-25.11-darwin 3.9.0

Package maintainers

@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>

Windows issue.

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.haskellPackages.cpython

Package maintainers