Upstream information
Description
Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball.The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package.
An attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.
This issue affects Gleam from 0.10.0-rc1 until 1.17.0.
SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| CVSS detail | CNA (6b3ad84c-e1a6-4bf7-a703-f496b71e49db) |
|---|---|
| Base Score | 5.1 |
| Vector | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| Attack Vector | Local |
| Attack Complexity | Low |
| Attack Requirements | None |
| Privileges Required | Low |
| User Interaction | Active |
| Vulnerable System Confidentiality Impact | High |
| Vulnerable System Integrity Impact | None |
| Vulnerable System Availability Impact | None |
| Subsequent System Confidentiality Impact | None |
| Subsequent System Integrity Impact | None |
| Subsequent System Availability Impact | None |
| CVSSv4 Version | 4.0 |
SUSE Timeline for this CVE
CVE page created: Tue Jun 2 18:01:59 2026CVE page last modified: Tue Jun 2 21:29:18 2026