CVE-2025-58438: internetarchive Vulnerable to Directory Traversal in File.download()
What kind of vulnerability is it?
This is a Critical severity directory traversal (path traversal) vulnerability in the File.download() method of the internetarchive library.
Who is impacted?
All users of the internetarchive library versions < 5.5.1 are impacted. The vulnerability is particularly critical for users on Windows systems, but all operating systems are affected.
Description of the vulnerability:
The vulnerability existed because the file.download() method did not properly sanitize user-supplied filenames or validate the final download path. A maliciously crafted filename could contain path traversal sequences (e.g., ../../../../windows/system32/file.txt) or illegal characters that, when processed, would cause the file to be written outside of the intended target directory.
Potential Impact: An attacker could potentially overwrite critical system files or application configuration files, leading to a denial of service, privilege escalation, or remote code execution, depending on the context in which the library is used.
References
- github.com/advisories/GHSA-wx3r-v6h7-frjp
- github.com/jjjake/internetarchive
- github.com/jjjake/internetarchive/commit/cba2d459e10a9489fb35caeba0b03e80f5f5d7c2
- github.com/jjjake/internetarchive/releases/tag/v5.5.1
- github.com/jjjake/internetarchive/security/advisories/GHSA-wx3r-v6h7-frjp
- nvd.nist.gov/vuln/detail/CVE-2025-58438
Code Behaviors & Features
Detect and mitigate CVE-2025-58438 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →