Description
Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1.
Published: 2026-04-02
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal Local File Read
Action: Patch
AI Analysis

Impact

Copier is a library and CLI used to render project templates. Prior to version 9.14.1 its _external_data feature allowed a template to load YAML files using paths under the template’s control. As a result, an attacker could supply a malicious template that references an arbitrary file on the local filesystem, causing the file’s contents to be read, parsed as YAML, and exposed in the rendered output. This vulnerability enables information disclosure by reading any file accessible to the user running Copier and is classed under CWE‑22.

Affected Systems

All releases of the Copier library and command‑line interface prior to version 9.14.1 are affected. The security advisory identifies that the issue has been fixed in version 9.14.1, so any installation using an older release is vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate impact, while the EPSS score of less than 1% suggests that exploitation is unlikely. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to supply or otherwise place a malicious template in a location where the user will load it. Therefore, the attack vector is likely local or via insider or compromised repository access rather than remote exploitation.

Generated by OpenCVE AI on April 3, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to copier version 9.14.1 or later.
  • Validate that all templates originate from trusted and verified sources before loading them.

Generated by OpenCVE AI on April 3, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hgjq-p8cr-gg4h Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode
History

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:copier-org:copier:*:*:*:*:*:python:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Copier-org
Copier-org copier
Vendors & Products Copier-org
Copier-org copier

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1.
Title Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Copier-org Copier
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T13:01:14.081Z

Reserved: 2026-03-30T18:41:20.754Z

Link: CVE-2026-34730

cve-icon Vulnrichment

Updated: 2026-04-03T13:01:04.817Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T19:21:32.560

Modified: 2026-04-03T19:43:42.730

Link: CVE-2026-34730

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:43Z

Weaknesses