Description
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.
Published: 2026-03-06
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file write outside the intended extraction directory via path traversal
Action: Patch
AI Analysis

Impact

dbt-common's safe_extract function, used to unpack tarball archives, validates file extraction paths using os.path.commonprefix(). This function compares paths at the character level rather than component level, allowing a crafted tarball to place extracted files outside the intended directory but within a sibling directory sharing a common name prefix. The flaw permits an attacker to write arbitrary files to unauthorized locations, potentially overwriting configuration or executable files and enabling privilege escalation or other system tampering. The weakness is identified as CWE‑22, a directory traversal vulnerability.

Affected Systems

The vulnerability affects dbt-labs' dbt-common library. Versions prior to 1.34.2 for the 1.x.x series and prior to 1.37.3 for the 1.3.x series are impacted. All affected builds that invoke safe_extract during tarball extraction are at risk, including those used by dbt‑core and adapter implementations that rely on the shared utilities.

Risk and Exploitability

The CVSS score of 2 indicates low severity, and the EPSS probability of less than 1 % suggests limited exploitation likelihood. Because the flaw requires the attacker to supply a malicious tarball and the vulnerable extraction routine to be invoked, the attack vector is local or remote via supply chain depending on how the tarball is provided. The vulnerability is not listed in CISA’s KEV catalog. While the risk level is currently low, organizations deploying dbt-common should update promptly to mitigate the possibility of file system compromise.

Generated by OpenCVE AI on April 16, 2026 at 11:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade dbt-common to version 1.34.2 or later (or 1.37.3 for the 1.3.x line) to apply the fixed safe_extract implementation.
  • Until a patch can be applied, avoid extracting untrusted tarballs with dbt-common by limiting usage to trusted sources and performing manual path checks before extraction.
  • If you maintain custom extraction logic that relies on safe_extract, replace the commonprefix-based validation with a secure component‑level path check, such as using os.path.realpath and confirming the target resides inside the intended directory.

Generated by OpenCVE AI on April 16, 2026 at 11:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w75w-9qv4-j5xj dbt-common's commonprefix() doesn't protect against path traversal
History

Fri, 13 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Getdbt
Getdbt dbt-common
CPEs cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*
Vendors & Products Getdbt
Getdbt dbt-common
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Dbt-labs
Dbt-labs dbt-common
Vendors & Products Dbt-labs
Dbt-labs dbt-common

Fri, 06 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.
Title dbt-common: commonprefix() doesn't protect against path traversal
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Dbt-labs Dbt-common
Getdbt Dbt-common
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:54:30.453Z

Reserved: 2026-03-04T16:26:02.900Z

Link: CVE-2026-29790

cve-icon Vulnrichment

Updated: 2026-03-09T20:51:44.447Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T21:16:15.630

Modified: 2026-03-13T18:31:00.637

Link: CVE-2026-29790

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses