CVE-2026-45725: compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal
The compliance-trestle library’s remote fetching cache mechanism (HTTPSFetcher and SFTPFetcher) constructs the local cache file path from the URL path component without sanitizing path traversal sequences (../). When a remote OSCAL profile references a URL with traversal in its path, the HTTP response body is written to a location outside the intended cache directory, enabling arbitrary file write with attacker-controlled content to the filesystem.
Attack chain: Malicious OSCAL profile → HTTPS fetch → cache path traversal → arbitrary file write → RCE (via cron, SSH keys, etc.)
References
- github.com/advisories/GHSA-g3vg-vx23-3858
- github.com/oscal-compass/compliance-trestle/commit/89f4e53d159e8ff901da4d7c3b51c9556bd32ec0
- github.com/oscal-compass/compliance-trestle/commit/9abc492329fcc8d0557182317de9bde854385da3
- github.com/oscal-compass/compliance-trestle/security/advisories/GHSA-g3vg-vx23-3858
- nvd.nist.gov/vuln/detail/CVE-2026-45725
Code Behaviors & Features
Detect and mitigate CVE-2026-45725 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →