Description
Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content.

Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories.

An attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim's system to be recursively deleted.

This issue affects Gleam from 0.18.0-rc1 until 1.17.0.
Published: 2026-06-02
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Gleam
Gleam gleam
Vendors & Products Gleam
Gleam gleam

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories. An attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim's system to be recursively deleted. This issue affects Gleam from 0.18.0-rc1 until 1.17.0.
Title Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion
First Time appeared Gleam-lang
Gleam-lang gleam
Weaknesses CWE-22
CPEs cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*
Vendors & Products Gleam-lang
Gleam-lang gleam
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-02T19:14:19.113Z

Reserved: 2026-05-04T18:23:25.573Z

Link: CVE-2026-43965

cve-icon Vulnrichment

Updated: 2026-06-02T15:07:19.180Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T14:16:54.053

Modified: 2026-06-02T16:16:40.897

Link: CVE-2026-43965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:45:06Z

Weaknesses