Description
Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root. As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE. This issue has been patched in version 9.14.1.
Published: 2026-04-02
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file access via template root escape
Action: Patch
AI Analysis

Impact

The vulnerability arises when Copier’s _subdirectory setting, intended to define the template's root, accepts parent-directory traversal sequences such as "..". This causes the tool to resolve outside the intended template directory, allowing it to render files from a parent location without requiring an --UNSAFE flag. The result is the ability to read arbitrary files that the template was not meant to access, constituting a classic path traversal weakness (CWE‑22). The CVSS score of 4.4 indicates a moderate severity impact.

Affected Systems

Any installation of the open‑source Copier tool built before version 9.14.1 is affected. The issue exists in both the library and command‑line interface across all operating systems where the tool runs. The problem is addressed in releases 9.14.1 and later, which enforce proper handling of _subdirectory values.

Risk and Exploitability

The CVSS metric places the risk in the medium range; no EPSS score is supplied, and the vulnerability is not catalogued in the CISA Known Exploited Vulnerabilities list. Exploitation requires an attacker to supply a template configuration containing a malicious _subdirectory value, which is possible when a user retrieves a template from an untrusted source or the template itself embeds the vulnerable setting. Because the attack occurs locally on the system running Copier, the impact is confined to that environment, but the ability to read arbitrary files can be critical, especially if the file contains sensitive data.

Generated by OpenCVE AI on April 2, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Copier to version 9.14.1 or newer

Generated by OpenCVE AI on April 2, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-85v3-4m8g-hrh6 Copier `_subdirectory` allows template root escape via parent-directory traversal
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Copier-org
Copier-org copier
Vendors & Products Copier-org
Copier-org copier

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root. As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE. This issue has been patched in version 9.14.1.
Title Copier `_subdirectory` allows template root escape via parent-directory traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Copier-org Copier
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:16:03.275Z

Reserved: 2026-03-30T18:41:20.753Z

Link: CVE-2026-34726

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-02T19:21:32.320

Modified: 2026-04-03T17:16:52.623

Link: CVE-2026-34726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:17:02Z

Weaknesses