From 7840a683b34d4f0a73decd21dd22102feeab1aa8 Mon Sep 17 00:00:00 2001 From: Henrique Cabral Date: Thu, 25 Sep 2025 20:30:16 -0300 Subject: [PATCH] New vuln: Path Traversal in monai --- input/new.json | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/input/new.json b/input/new.json index 87646b9a..dbef3eb1 100644 --- a/input/new.json +++ b/input/new.json @@ -1,15 +1,24 @@ { - "package_name": "", - "patch_versions": [], - "vulnerable_ranges": [], - "cwe": [], - "tldr": "", - "doest_this_affect_me": "", - "how_to_fix": "", - "vulnerable_to": "", - "related_cve_id": "", - "language": "", - "severity_class": "", - "aikido_score": 0, - "changelog": "" + "package_name": "monai", + "patch_versions": [ + "1.5.1" + ], + "vulnerable_ranges": [ + [ + "0.0.1", + "1.5.0" + ] + ], + "cwe": [ + "CWE-22" + ], + "tldr": "Affected versions of this package are vulnerable to a path traversal attack known as Zip Slip, where the `zip_file.extractall` function is used without sanitizing file paths, allowing malicious zip archives to overwrite arbitrary system files when decompressed. This issue is compounded by the project's capability to download zip files from remote links, broadening the attack surface. An attacker can exploit this vulnerability by crafting a zip file that includes paths with directory traversals and distributing it via a link. When the victim's application downloads and extracts the file, it overwrites critical system files, potentially leading to a compromise.", + "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.", + "how_to_fix": "Upgrade the `monai` library to the patch version.", + "vulnerable_to": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "related_cve_id": "CVE-2025-58755", + "language": "Python", + "severity_class": "HIGH", + "aikido_score": 88, + "changelog": "https://github.com/Project-MONAI/MONAI/blob/dev/CHANGELOG.md#151---2025-09-22" }