Mako: Path traversal via double-slash URI prefix in TemplateLookup
🔗 CVE IDs covered (1)
📋 Description
Summary
TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations:
Template.__init__strips one leading/usingif/sliceTemplateLookup.get_template()strips all leading/usingre.sub(r"^\/+", "")
When a URI like //../../../../etc/passwd is passed:
get_template()strips all/→../../../../etc/passwd→ file found viaposixpath.join(dir_, u)Template.__init__strips one/→/../../../../etc/passwd→normpath→/etc/passwd/etc/passwd.startswith(..) →False→ check bypassed
Impact
Arbitrary file read: any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template().
Note: this is exploitable at the library API level. HTTP-based exploitation is mitigated by Python's BaseHTTPRequestHandler which normalizes double-slash prefixes since CPython gh-87389. Applications using other HTTP servers that do not normalize paths may be affected.
Fix
Changed Template.__init__ to use lstrip("/") instead of stripping only a single leading slash, so both code paths handle leading slashes consistently.
🎯 Affected products1
- pip/Mako:<= 1.3.10
🔗 References (5)
- https://github.com/sqlalchemy/mako/security/advisories/GHSA-v92g-xgxw-vvmm
- https://nvd.nist.gov/vuln/detail/CVE-2026-41205
- https://github.com/sqlalchemy/mako/commit/e05ac61989a7fb9dd7dcde6cfd72dc48328719a3
- https://github.com/sqlalchemy/mako/releases/tag/rel_1_3_11
- https://github.com/advisories/GHSA-v92g-xgxw-vvmm