Threat Advisory

compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-45725 with a CVSS score of 7.1 is a vulnerability in the compliance-trestle library's remote fetching cache mechanism, specifically affecting versions 4.0.0 to 4.0.2 and versions prior to 3.12.2, where the HTTPSFetcher and SFTPFetcher classes construct the local cache file path from the URL path component without sanitizing path traversal sequences, allowing an attacker to write arbitrary files to the filesystem via a malicious OSCAL profile, which can be exploited by sending a crafted HTTPS request to the vulnerable system, requiring network access and the ability to send malicious requests, resulting in the capability to write files to arbitrary locations on the system, potentially leading to remote code execution, and having a significant business impact as it can lead to data breaches, system compromise, and disruption of business operations, with prerequisites including the ability to send malicious requests to the vulnerable system and the presence of a malicious OSCAL profile.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-45725 with a CVSS score of 7.1 is a vulnerability in the compliance-trestle library's remote fetching cache mechanism, specifically affecting versions 4.0.0 to 4.0.2 and versions prior to 3.12.2, where the HTTPSFetcher and SFTPFetcher classes construct the local cache file path from the URL path component without sanitizing path traversal sequences, allowing an attacker to write arbitrary files to the filesystem via a malicious OSCAL profile, which can be exploited by sending a crafted HTTPS request to the vulnerable system, requiring network access and the ability to send malicious requests, resulting in the capability to write files to arbitrary locations on the system, potentially leading to remote code execution, and having a significant business impact as it can lead to data breaches, system compromise, and disruption of business operations, with prerequisites including the ability to send malicious requests to the vulnerable system and the presence of a malicious OSCAL profile.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update compliance-trestle to version 4.0.3 or 3.12.2.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-g3vg-vx23-3858

[/emaillocker]
crossmenu