{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T17:53:56.393","vulnerabilities":[{"cve":{"id":"CVE-2025-55214","sourceIdentifier":"security-advisories@github.com","published":"2025-08-18T17:15:30.310","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Copier library and CLI app for rendering project templates. From 7.1.0 to before 9.9.1, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write files outside the destination path where a project shall be generated or updated. This is possible when rendering a generated directory structure whose rendered path is either a relative parent path or an absolute path. Constructing such paths is possible using Copier's builtin pathjoin Jinja filter and its builtin _copier_conf.sep variable, which is the platform-native path separator. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. This vulnerability is fixed in 9.9.1."},{"lang":"es","value":"Librería Copier y aplicación CLI para renderizar plantillas de proyecto. Desde la versión 7.1.0 hasta la 9.9.1, Copier sugiere que es seguro generar un proyecto a partir de una plantilla segura, es decir, una que no utilice funciones inseguras como extensiones personalizadas de Jinja, que requerirían el indicador --UNSAFE,--trust. Resulta que, actualmente, una plantilla segura puede escribir archivos fuera de la ruta de destino donde se generará o actualizará un proyecto. Esto es posible al renderizar una estructura de directorios generada cuya ruta renderizada es una ruta principal relativa o una ruta absoluta. Estas rutas se pueden construir mediante el filtro pathjoin de Jinja integrado de Copier y su variable _copier_conf.sep integrada, que es el separador de rutas nativo de la plataforma. De esta forma, un creador de plantillas malintencionado puede crear una plantilla que sobrescriba archivos arbitrarios (según los permisos de escritura del usuario), por ejemplo, para causar problemas. Esta vulnerabilidad se corrigió en la versión 9.9.1."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://github.com/copier-org/copier/commit/fdbc0167cc22780b497e4db176feaf6f024757d6","source":"security-advisories@github.com"},{"url":"https://github.com/copier-org/copier/security/advisories/GHSA-p7q8-grrj-3m8w","source":"security-advisories@github.com"}]}}]}