ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| zenml(PyPI) | 0.81.0 | 0.84.2 | N/A |
CVSS Metrics
