Description
Ferret is a declarative system for working with web data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret's IO::FS::WRITE standard library function allows a malicious website to write arbitrary files to the filesystem of the machine running Ferret. When an operator scrapes a website that returns filenames containing ../ sequences, and uses those filenames to construct output paths (a standard scraping pattern), the attacker controls both the destination path and the file content. This can lead to remote code execution via cron jobs, SSH authorized_keys, shell profiles, or web shells. This vulnerability is fixed in 2.0.0-alpha.4.
Published: 2026-04-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a classic path traversal flaw that enables an attacker to write arbitrary files to the host system when a Ferret operator scrapes a website. Because the IO::FS::WRITE function accepts filenames supplied by the site, a malicious site can embed "../" sequences in its returned filenames. The attacker consequently controls both the target path and the content of the written file, allowing deployment of cron jobs, SSH authorized_keys, shell profiles or web shells that can execute code with the Ferret process privilege. The weakness is reflected in CWE-22 (Path Traversal) and CWE-73 (OS Command Injection via Untrusted File Name).

Affected Systems

The issue affects every installation of MontFerret Ferret up to the 2.0.0‑alpha.3 release. Any deployment running version 2.0.0‑alpha.3 or earlier is subject to the flaw, while 2.0.0‑alpha.4 and newer contain the fix. Specific affected CPEs include montferret:ferret with any minor version prior to alpha.4.

Risk and Exploitability

The CVSS score of 8.1 categorizes this as a high severity vulnerability. The EPSS score of less than 1% suggests that exploitation is currently rare or unverified, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is an operator who unknowingly scrapes a malicious site; the attacker would host a site that returns filenames with directory traversal sequences, causing Ferret to write files to arbitrary locations on the host machine. The vulnerability is exploitable with standard web scraping workflows, and no additional privileged access appears required beyond running Ferret.

Generated by OpenCVE AI on April 14, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Ferret 2.0.0‑alpha.4 or later to apply the vendor patch
  • If upgrading immediately is not possible, cherry‑pick the commit that contains the fix (160ebad6bd50f153453e120f6d909f5b83322917) and rebuild the application
  • Configure Ferret to sanitize or restrict filenames used in IO::FS::WRITE by rejecting paths containing "../" or by enforcing a safe base directory
  • In the interim, monitor the filesystem for unexpected file writes or modifications made by Ferret processes
  • Validate your environment for any previously injected malicious files and remove them promptly

Generated by OpenCVE AI on April 14, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j6v5-g24h-vg4j Ferret: Path Traversal in IO::FS::WRITE allows arbitrary file write when scraping malicious websites
History

Tue, 14 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:montferret:ferret:*:*:*:*:*:go:*:*
cpe:2.3:a:montferret:ferret:2.0.0:alpha1:*:*:*:go:*:*
cpe:2.3:a:montferret:ferret:2.0.0:alpha2:*:*:*:go:*:*
cpe:2.3:a:montferret:ferret:2.0.0:alpha3:*:*:*:go:*:*

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Montferret
Montferret ferret
Vendors & Products Montferret
Montferret ferret

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Ferret is a declarative system for working with web data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret's IO::FS::WRITE standard library function allows a malicious website to write arbitrary files to the filesystem of the machine running Ferret. When an operator scrapes a website that returns filenames containing ../ sequences, and uses those filenames to construct output paths (a standard scraping pattern), the attacker controls both the destination path and the file content. This can lead to remote code execution via cron jobs, SSH authorized_keys, shell profiles, or web shells. This vulnerability is fixed in 2.0.0-alpha.4.
Title Ferret has a Path Traversal in IO::FS::WRITE allows arbitrary file write when scraping malicious websites
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

Montferret Ferret
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:12:22.159Z

Reserved: 2026-03-30T19:54:55.556Z

Link: CVE-2026-34783

cve-icon Vulnrichment

Updated: 2026-04-07T14:12:11.404Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T17:17:10.430

Modified: 2026-04-14T20:28:17.990

Link: CVE-2026-34783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses