CVE-2026-34730: Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode
(updated )
Copier’s _external_data feature allows a template to load YAML files using template-controlled paths. The documentation describes these values as relative paths from the subproject destination, so relative paths themselves appear to be part of the intended feature model.
However, the current implementation also allows destination-external reads, including:
- Parent-directory paths such as
../secret.yml - Absolute paths such as
/tmp/secret.yml
and then exposes the parsed contents in rendered output.
This is possible without --UNSAFE, which makes the behavior potentially dangerous when Copier is run against untrusted templates. I am not certain this is unintended behavior, but it is security-sensitive and appears important to clarify.
References
- github.com/advisories/GHSA-hgjq-p8cr-gg4h
- github.com/copier-org/copier
- github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b
- github.com/copier-org/copier/releases/tag/v9.14.1
- github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h
- nvd.nist.gov/vuln/detail/CVE-2026-34730
Code Behaviors & Features
Detect and mitigate CVE-2026-34730 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →