Copier, a library and CLI application for rendering project templates, contains a flaw in its _external_data feature that permits templates to specify paths for loading YAML files. Prior to version 9.14.1, this functionality fails to normalize or restrict the supplied path, enabling a malicious template to read any YAML‑parseable file that the executing user can access. The content of these files is exposed in the rendered output, potentially revealing confidential configuration or credential information. This vulnerability is classified as a path traversal leading to local file read (CWE‑22).

The affected component is the Copier package, distributed under the copier‑org organization. The issue exists in all releases before version 9.14.1 of the library and its command‑line interface. Users who employ untrusted template sources or incorporate external templates into their project generation process are at risk. The official fix is included in release v9.14.1, which removes the ability for templates to load arbitrary local files without explicit unsafe mode.

The CVSS score of 5.5 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in CISA's KEV database. Exploitation requires a user to execute Copier with a template that has been crafted by an attacker or compromised repository. Since the read operation occurs under the privileges of the person running Copier, the impact is limited to files accessible to that user, but the exposure of configuration data can aid further attacks. The lack of a public exploit and the moderate score suggest a realistic but not imminent threat, yet patching remains the safest mitigation.