NIXPKGS-2026-1853

GitHub issue published on

Permalink CVE-2026-42795

5.1 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): Active (A)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Active (A)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 8 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse ignored
6 packages
- vscode-extensions.gleam.gleam
- tree-sitter-grammars.tree-sitter-gleam
- vimPlugins.nvim-treesitter-parsers.gleam
- python312Packages.tree-sitter-grammars.tree-sitter-gleam
- python313Packages.tree-sitter-grammars.tree-sitter-gleam
- python314Packages.tree-sitter-grammars.tree-sitter-gleam
8 hours ago
@LeSuisse accepted 8 hours ago
@LeSuisse published on GitHub 8 hours ago

Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root

Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package. An attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact. This issue affects Gleam from 0.10.0-rc1 until 1.17.0.

References

https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc relatedexploitvendor-advisory
https://cna.erlef.org/cves/CVE-2026-42795.html related
https://osv.dev/vulnerability/EEF-CVE-2026-42795 related
https://github.com/gleam-lang/gleam/commit/6435a5528b9ae0449e2f32be579641ec485f… patch

Affected products

gleam

<1.17.0

gleam-lang/gleam

<1.17.0
<v1.17.0-erlang
<v1.17.0-erlang-alpine
<v1.17.0-elixir
<v1.17.0-elixir-alpine
<v1.17.0-elixir-slim
<v1.17.0-node-slim
<v1.17.0-scratch
<v1.17.0-node-alpine
<v1.17.0-erlang-slim
<v1.17.0-node
<6435a5528b9ae0449e2f32be579641ec485f6866

Matching in nixpkgs

pkgs.gleam

Statically typed language for the Erlang VM

nixos-unstable 1.16.0
- nixpkgs-unstable 1.16.0
- nixos-unstable-small 1.16.0
nixos-25.11 1.16.0
- nixos-25.11-small 1.16.0
- nixpkgs-25.11-darwin 1.16.0

Ignored packages (6)

pkgs.vscode-extensions.gleam.gleam

Support for the Gleam programming language

nixos-unstable 2.12.1
- nixpkgs-unstable 2.12.1
- nixos-unstable-small 2.12.1
nixos-25.11 2.12.1
- nixos-25.11-small 2.12.1
- nixpkgs-25.11-darwin 2.12.1

pkgs.tree-sitter-grammars.tree-sitter-gleam

None

nixos-unstable 1.1.0
- nixpkgs-unstable 1.1.0
- nixos-unstable-small 1.1.0
nixos-25.11 0.25.10
- nixos-25.11-small 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.vimPlugins.nvim-treesitter-parsers.gleam

None

nixos-unstable 0.0.0+rev=0bb1b0a
- nixpkgs-unstable 0.0.0+rev=0bb1b0a
- nixos-unstable-small 0.0.0+rev=0bb1b0a
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.python312Packages.tree-sitter-grammars.tree-sitter-gleam

Python bindings for tree-sitter-gleam

nixos-25.11 0.25.10
- nixos-25.11-small 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-gleam

Python bindings for tree-sitter-gleam

nixos-unstable 1.1.0
- nixpkgs-unstable 1.1.0
- nixos-unstable-small 1.1.0
nixos-25.11 0.25.10
- nixos-25.11-small 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-gleam

Python bindings for tree-sitter-gleam

nixos-unstable 1.1.0
- nixpkgs-unstable 1.1.0
- nixos-unstable-small 1.1.0

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1853

References

Affected products

Matching in nixpkgs

pkgs.gleam

pkgs.vscode-extensions.gleam.gleam

pkgs.tree-sitter-grammars.tree-sitter-gleam

pkgs.vimPlugins.nvim-treesitter-parsers.gleam

pkgs.python312Packages.tree-sitter-grammars.tree-sitter-gleam

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-gleam

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-gleam