The vulnerability lies in Copier's handling of the _subdirectory setting, which is intended to specify the template root. The implementation accepts parent-directory traversal patterns such as '..' and uses them directly when selecting the template root. This allows a template to escape its own directory and cause Copier to render files from the parent directory without requiring the --UNSAFE flag. As a result, an attacker can access and copy arbitrary files from the parent directory into the rendered project, potentially exposing sensitive data. The weakness corresponds to CWE-22, a directory traversal vulnerability.

The issue affects the Copier package produced by copier-org, used as a library and command‑line tool for rendering project templates. All releases prior to version 9.14.1 are vulnerable. The fix was introduced in release 9.14.1; users should upgrade to that version or later to mitigate the risk. This vulnerability is relevant to environments that rely on Copier to process templates supplied by external sources.

The CVSS score of 4.4 indicates a medium level of severity, and the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread. The vulnerability is not listed in CISA's KEV catalog. An attacker would need to supply a malicious template that includes a parent-directory term in the _subdirectory field; no special privileges are required, so local or supply‑chain attacks are plausible. Since the vulnerability is a directory traversal bug, it can be mitigated by updating the tool before any exploitation occurs.