Cyber Posture

CVE-2026-34783

HighPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0015 34.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Ferret is a declarative system for working with web data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret's IO::FS::WRITE standard library function allows a malicious website to write arbitrary files to the filesystem of the machine running Ferret. When…

more

an operator scrapes a website that returns filenames containing ../ sequences, and uses those filenames to construct output paths (a standard scraping pattern), the attacker controls both the destination path and the file content. This can lead to remote code execution via cron jobs, SSH authorized_keys, shell profiles, or web shells. This vulnerability is fixed in 2.0.0-alpha.4.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the path traversal flaw in Ferret's IO::FS::WRITE by requiring timely patching to version 2.0.0-alpha.4.

SI-10 Information Input Validation good match
prevent

Validates untrusted scraped filenames containing path traversal sequences like '../' before using them to construct output paths for file writes.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on the Ferret process to restrict writes to non-sensitive directories, limiting damage from arbitrary file writes targeting cron jobs or authorized_keys.

Security SummaryAI

CVE-2026-34783 is a path traversal vulnerability (CWE-22, CWE-73) in the IO::FS::WRITE standard library function of Ferret, a declarative system for working with web data. Versions of Ferret prior to 2.0.0-alpha.4 are affected, enabling attackers to write arbitrary files to the filesystem of the machine running Ferret. The issue arises when scraped web content includes filenames with path traversal sequences like "../", which are then used to construct output paths in common scraping workflows.

An attacker who controls a malicious website can exploit this by embedding "../" sequences in filenames returned during a scrape. A Ferret operator must scrape the site and naively incorporate those attacker-supplied filenames into output paths, requiring user interaction but no privileges (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H, score 8.1). This grants control over both the destination path and file content, allowing arbitrary file writes that can achieve remote code execution, such as by targeting cron jobs, SSH authorized_keys, shell profiles, or web shells.

The vulnerability is fixed in Ferret version 2.0.0-alpha.4, as detailed in the project's GitHub security advisory (GHSA-j6v5-g24h-vg4j) and the patching commit (160ebad6bd50f153453e120f6d909f5b83322917). Security practitioners should advise users to upgrade immediately and review scraping scripts for unsanitized filename handling from untrusted sources.

Details

CWE(s)
CWE-22CWE-73

Affected Products

montferret
ferret
2.0.0 · ≤ 2.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1053.003 Cron Execution
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.
attack.mitre.org →
T1098.004 SSH Authorized Keys Persistence
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host.
attack.mitre.org →
T1546.004 Unix Shell Configuration Modification Privilege Escalation
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Path traversal enables arbitrary file writes outside intended directories, directly facilitating persistence via cron jobs (T1053.003), SSH authorized keys (T1098.004), shell profiles (T1546.004), and web shells (T1505.003) as explicitly described.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References