Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories.
An attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim's system to be recursively deleted.
This issue affects Gleam from 0.18.0-rc1 until 1.17.0.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 02 Jun 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Gleam
Gleam gleam |
|
| Vendors & Products |
Gleam
Gleam gleam |
Tue, 02 Jun 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 02 Jun 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories. An attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim's system to be recursively deleted. This issue affects Gleam from 0.18.0-rc1 until 1.17.0. | |
| Title | Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion | |
| First Time appeared |
Gleam-lang
Gleam-lang gleam |
|
| Weaknesses | CWE-22 | |
| CPEs | cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Gleam-lang
Gleam-lang gleam |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: EEF
Published:
Updated: 2026-06-02T19:14:19.113Z
Reserved: 2026-05-04T18:23:25.573Z
Link: CVE-2026-43965
Updated: 2026-06-02T15:07:19.180Z
Status : Deferred
Published: 2026-06-02T14:16:54.053
Modified: 2026-06-02T16:16:40.897
Link: CVE-2026-43965
No data.
OpenCVE Enrichment
Updated: 2026-06-02T15:45:06Z