Listen to this Post
A path traversal vulnerability exists in PDM (Python Dependency Manager) version 2.0.0 through 2.2.1, tracked as CVE-2026-34592. The flaw is located in the `InstallDestination.write_to_fs()` method within src/pdm/installers/installers.py. To understand the issue, consider how a package manager typically handles file extraction from a wheel archive: it must ensure that every file written to disk resides within the intended installation directory.
In the vulnerable versions, the `InstallDestination` class overrides the base `write_to_fs()` method to add support for symlinks and hardlinks. The base class includes a critical safety step—the `_path_with_destdir()` helper function—which validates each destination path using `Path.resolve()` and is_relative_to(). This validation verifies that the fully resolved canonical path remains inside the target destination.
The overridden `write_to_fs()` method in the vulnerable class replaced this safe helper with a simple `os.path.join()` operation. The `os.path.join()` function merely concatenates path strings; it performs no security validation on the resulting path. Consequently, when processing a malicious wheel archive that contains entries with `../` path traversal sequences (e.g., ../../etc/passwd), the vulnerable method will construct and return a full path that points outside the intended installation directory. The subsequent file write operation then proceeds using this unsanitized path, overwriting arbitrary files on the host system with the privileges of the PDM process.
This vulnerability is architecturally identical to the one previously identified in Poetry (CVE-2026-34591). The issue is triggered automatically whenever a user or CI/CD pipeline installs a compromised or intentionally malicious package from PyPI or any other configured source. No additional user interaction is required beyond the standard `pdm install` command. The vulnerability was addressed in pull request 3787 by reintroducing proper path validation.
DailyCVE Form:
Platform: ……. PDM
Version: …….. 2.0.0-2.2.1
Vulnerability :…… Path Traversal
Severity: ……. High
date: ………. May 21, 2026
Prediction: …… June 24, 2026
What Undercode Say:
Check vulnerable version
pdm --version
Locate vulnerable file
find ~/.local/lib/python/site-packages/pdm -name "installers.py"
Grep for the unsafe code
grep -n "def write_to_fs" ~/.local/lib/python/site-packages/pdm/installers/installers.py
Simulate path traversal (PoC concept)
python3 -c "
import os
dest_dir = '/tmp/pdm_install'
malicious_entry = '../../etc/passwd'
unsafe_path = os.path.join(dest_dir, malicious_entry)
print(f'Would write to: {unsafe_path}')
Expected output: Would write to: /tmp/pdm_install/../../etc/passwd
After resolution: /etc/passwd (outside target!)
"
Check if fix is present (safe method)
python3 -c "
from pathlib import Path
dest_dir = Path('/tmp/pdm_install')
safe_entry = Path('../../etc/passwd')
try:
resolved = (dest_dir / safe_entry).resolve()
assert resolved.is_relative_to(dest_dir.resolve())
print('Safe: validation passed')
except AssertionError:
print('Unsafe: would escape dest_dir')
"
Exploit:
A malicious wheel archive is crafted containing `../` sequences within its internal file paths. The attacker publishes this wheel to PyPI under a tempting package name. When a victim installs the package using a vulnerable PDM version, the unsanitized path bypasses directory confinement and overwrites critical system files (e.g., ~/.ssh/authorized_keys, ~/.bashrc, /etc/cron.d/backdoor) with attacker-controlled content, leading to arbitrary code execution.
Protection:
- Immediate: Upgrade to PDM 2.3.0 or later; enforce `–no-binary` flag for untrusted sources as a temporary workaround
- Vendor Fix: The `write_to_fs()` method now validates all paths using `_path_with_destdir()` or equivalent canonical path checks before writing
- Hardening: Run `pdm install` inside isolated containers (e.g., Docker) or with restricted filesystem capabilities (e.g.,
bubblewrap,firejail)
Impact:
Successful exploitation allows an attacker to write arbitrary files to any location reachable by the PDM process. This leads to remote code execution, privilege escalation, and full system compromise. The attack is particularly dangerous in CI/CD environments where PDM often runs with elevated privileges and automated package installation occurs without manual review.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
