Home > Vulnerability Database > CVE-2025-8406

Mend.io Vulnerability Database

CVE-2025-8406

Good to know:

Date: October 5, 2025

ZenML version 0.83.1 is affected by a path traversal vulnerability in the "PathMaterializer" class. The "load" function uses "is_path_within_directory" to validate files during "data.tar.gz" extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.

Severity Score

6.3

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-8406

Url: https://huntr.com/bounties/a0880d64-9928-45bf-9663-2cd81582d9e7

Url: https://github.com/zenml-io/zenml/commit/5d22a48d7bf6c7f10b748577c2be79cc7969d398

Url: https://github.com/zenml-io/zenml

Url: https://www.mend.io/vulnerability-database/CVE-2025-8406

Severity Score

6.3

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version zenml - 0.84.2

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-8406

Good to know:

Date: October 5, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?