OpenStack Ironic before version 35.0.2 is vulnerable to a directory traversal flaw that allows an attacker to overwrite files on the deployment host using a specially crafted ISO image. The vulnerability can be exploited during the deployment process, potentially compromising the integrity of configuration files or executables located on the target system. The weakness corresponds to CWE‑22 and CWE‑23, describing a path traversal condition that permits writing to unintended locations.

The affected product is OpenStack Ironic, specifically any release older than 35.0.2. Clients that use Ironic to deploy machines from ISO images run the risk unless they upgrade to the patched version or otherwise restrict ISO uploads.

With a CVSS score of 5.9, the vulnerability carries moderate severity. The EPSS score is 0.0015, indicating a very low yet nonzero likelihood of exploitation, and the issue is not listed in the CISA KEV catalog. Exploitation requires control over the ISO image supplied to the Ironic service, which typically implies authenticated API access or compromised trust in the image source. Once the crafted ISO is processed, the attacker can overwrite arbitrary files on the deployment host, potentially leading to further attacks or system compromise. The attack vector is file overwrite via directory traversal within the ISO content, as characterized by CWE‑22 and CWE‑23.