Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses

Filter by:

With package: gdown

Found 1 matching suggestions

View:

Compact

Detailed

Published

Permalink CVE-2026-40491

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 6 hours ago by @LeSuisse Activity log

Created automatic suggestion 19 hours ago
@LeSuisse ignored
6 packages
- hongdown
- lgogdownloader
- lgogdownloader-gui
- python312Packages.gdown
- python313Packages.gdown
- python314Packages.gdown
7 hours ago
@LeSuisse ignored reference https://g… 7 hours ago
@LeSuisse accepted 7 hours ago
@LeSuisse published on GitHub 6 hours ago

gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall

gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.

References

https://github.com/wkentaro/gdown/security/advisories/GHSA-76hw-p97h-883f x_refsource_CONFIRM
https://github.com/wkentaro/gdown/commit/af569fc6ed300b7974dee66dc51e9f01b57b4dff x_refsource_MISC

Ignored references (1)

https://github.com/wkentaro/gdown/releases/tag/v5.2.2 x_refsource_MISC

Affected products

gdown

==< 5.2.2

Matching in nixpkgs

pkgs.gdown

CLI tool for downloading large files from Google Drive

nixos-unstable 5.2.1
- nixpkgs-unstable 5.2.1
- nixos-unstable-small 5.2.1
nixos-25.11 5.2.0
- nixos-25.11-small 5.2.0
- nixpkgs-25.11-darwin 5.2.0

Ignored packages (6)

pkgs.hongdown

Markdown formatter that enforces Hong Minhee's Markdown style conventions

nixos-unstable 0.3.4
- nixpkgs-unstable 0.3.4
- nixos-unstable-small 0.3.4

pkgs.lgogdownloader

Unofficial downloader to GOG.com for Linux users. It uses the same API as the official GOGDownloader

nixos-unstable 3.18
- nixpkgs-unstable 3.18
- nixos-unstable-small 3.18
nixos-25.11 3.18
- nixos-25.11-small 3.18
- nixpkgs-25.11-darwin 3.18

pkgs.lgogdownloader-gui

Unofficial downloader to GOG.com for Linux users. It uses the same API as the official GOGDownloader

nixos-unstable 3.18
- nixpkgs-unstable 3.18
- nixos-unstable-small 3.18
nixos-25.11 3.18
- nixos-25.11-small 3.18
- nixpkgs-25.11-darwin 3.18

pkgs.python312Packages.gdown

CLI tool for downloading large files from Google Drive

nixos-25.11 5.2.0
- nixos-25.11-small 5.2.0
- nixpkgs-25.11-darwin 5.2.0

pkgs.python313Packages.gdown

CLI tool for downloading large files from Google Drive

nixos-unstable 5.2.1
- nixpkgs-unstable 5.2.1
- nixos-unstable-small 5.2.1
nixos-25.11 5.2.0
- nixos-25.11-small 5.2.0
- nixpkgs-25.11-darwin 5.2.0

pkgs.python314Packages.gdown

CLI tool for downloading large files from Google Drive

nixos-unstable 5.2.1
- nixpkgs-unstable 5.2.1
- nixos-unstable-small 5.2.1

Package maintainers

@breakds Break Yang <breakds@gmail.com>

1