GHSA-29g5-m8v7-v564: Measured is vulnerable to Path Traversal attacks during class initialization

July 15, 2025

A path traversal vulnerability exists where an attacker with access to manipulate inputs when initializing the Measured::Cache::Json class would be able to instruct the library to read arbitrary files.

References

github.com/Shopify/measured
github.com/Shopify/measured/commit/d6319985a2304d97c085e3dc45c98af554f4be76
github.com/Shopify/measured/security/advisories/GHSA-29g5-m8v7-v564
github.com/advisories/GHSA-29g5-m8v7-v564

Code Behaviors & Features

Detect and mitigate GHSA-29g5-m8v7-v564 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →