critical

Dataform cross-tenant path traversal

Published Thu, Aug 21st, 2025

Platforms

Summary

Dataform could have allowed a malicious customer to gain unauthorized cross-tenant access to other customer's code repositories and data. By preparing a maliciously crafted package.json file, an attacker could exploit a path traversal vulnerability in the npm package installation process, thereby gaining read and write access in other customers' repositories. According to Google, there was no evidence of exploitation in the wild.

Affected Services

Dataform

Remediation

None required.

Tracked CVEs

CVE-2025-9118

References

https://cloud.google.com/support/bulletins https://www.cve.org/CVERecord?id=CVE-2025-9118

Contributed by https://github.com/korniko98

Entry Status

Finalized

Disclosure Date

Thu, Aug 21st, 2025

Exploitablity Period

2025/08/07 to 2025/08/21

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Unknown

More vulnerabilities...

medium

AWS ECS Agent Information Disclosure Vulnerability

A vulnerability in the Amazon ECS agent could allow an introspection server to be accessed off-host. This information disclosure issue, if exploited, could allow another instance in the same securi...

Amazon Web Services

Thu, Aug 14th, 2025

high

Remote Prompt Injection in GitLab Duo Leaks Source Code

A remote prompt injection vulnerability in GitLab Duo allowed attackers to steal source code from private projects, manipulate code suggestions, and exfiltrate confidential information. The attack ...

Omer Mayraz, Legit Security

Thu, May 22nd, 2025

high

AWS Security Tool Introduces Privilege Escalation Risk

AWS's Account Assessment for AWS Organizations tool, designed to audit cross-account access, inadvertently introduced privilege escalation risks due to flawed deployment instructions. Customers wer...

Eliav Livneh, Token Security

Mon, May 19th, 2025

View all