Description
In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory.
Published: 2026-04-16
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Path traversal enabling arbitrary file modification
Action: Immediate Patch
AI Analysis

Impact

In prior to version 2.5.1 of OCaml's opam package manager, the installer script field named ".install" allows a package author to specify a destination path for an installed file. A malicious package can insert the string "../" into this path, causing opam to write the file outside the intended package directory and potentially into system‑wide locations. The effect is unauthorized modification of files that may lead to privilege escalation, configuration tampering, or denial of service if critical files are overwritten.

Affected Systems

The affected product is OCaml's opam, with all releases preceding 2.5.1 impacted. Packages that contain a malicious ".install" field within these versions pose the risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.3, indicating high severity, and is not currently listed in the CISA Known Exploited Vulnerabilities catalog. EPSS data is not available, but the lack of availability does not mitigate the inherent risk. The likely attack vector is misuse of a malicious package either through a local repository or by convincing a user to install a compromised package. Successful exploitation requires the ability to supply or run an opam install command with the tainted package.

Generated by OpenCVE AI on April 17, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest opam release 2.5.1 or newer, which removes the directory traversal flaw.
  • Limit opam to trusted package sources or use opam's "--trusted" flag when installing very carefully vetted packages.
  • Implement file system or opam environment restrictions (e.g., chroot or sandbox) to isolate installation directories when working with untrusted packages.

Generated by OpenCVE AI on April 17, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4541-1 opam security update
Debian DSA Debian DSA DSA-6216-1 opam security update
History

Tue, 21 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Path Traversal in opam .install Files Enables Arbitrary File Modification ocaml-opam: path traversal via the .install field
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Ocaml
Ocaml ocaml
Vendors & Products Ocaml
Ocaml ocaml

Fri, 17 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Path Traversal in opam .install Files Enables Arbitrary File Modification

Thu, 16 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory.
Weaknesses CWE-24
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Ocaml Ocaml
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T09:32:52.152Z

Reserved: 2026-04-16T17:32:39.584Z

Link: CVE-2026-41082

cve-icon Vulnrichment

Updated: 2026-04-21T09:32:52.152Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T18:16:45.980

Modified: 2026-04-21T10:16:31.107

Link: CVE-2026-41082

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-16T17:32:40Z

Links: CVE-2026-41082 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:00:10Z

Weaknesses