Description
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.
Published: 2026-04-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Overwrite / Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The gdown library contains a path traversal flaw in its extractall function, where the names of files inside ZIP or TAR archives are not validated before extraction. This allows an attacker to craft an archive that writes files outside the intended destination directory, leading to arbitrary file overwrite and the potential for remote code execution, as the overwritten files could be privileged executables or configuration files. The weakness is classified as CWE-22.

Affected Systems

The library released by wkentaro under the name gdown is vulnerable in all versions before 5.2.2. Users that depend on earlier releases, such as v5.2.1 or older, are impacted. The vulnerability is relevant to Python projects that import gdown for downloading data from Google Drive.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. The likely attack scenario involves an environment that uses gdown to extract archives freshly downloaded from untrusted sources; the attacker supplies a malicious archive that causes files to be written outside the target directory. If the overwritten files include executables or code that runs with elevated privileges, remote code execution becomes possible. However, exploitability depends on the user’s context and the permissions of the gdown process.

Generated by OpenCVE AI on April 18, 2026 at 08:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gdown to version 5.2.2 or later, which includes the fix.
  • If an upgrade is not immediately possible, restrict the extraction directory and validate or sanitize archive member names before extraction.
  • For existing deployments, audit the code base for calls to extractall and eliminate or harden them, ensuring that only trusted archives are processed.

Generated by OpenCVE AI on April 18, 2026 at 08:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-76hw-p97h-883f gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall
History

Sat, 18 Apr 2026 02:30:00 +0000

Type Values Removed Values Added
Description gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.
Title gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-18T01:36:47.659Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40491

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T03:16:13.157

Modified: 2026-04-18T03:16:13.157

Link: CVE-2026-40491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses