critical

Dataform cross-tenant path traversal

Published Thu, Aug 21st, 2025

Platforms

gcp

Summary

Dataform could have allowed a malicious customer to gain unauthorized cross-tenant access to other customer's code repositories and data. By preparing a maliciously crafted package.json file, an attacker could exploit a path traversal vulnerability in the npm package installation process, thereby gaining read and write access in other customers' repositories. According to Google, there was no evidence of exploitation in the wild.

Affected Services

Dataform

Remediation

None required.

Tracked CVEs

CVE-2025-9118

References

https://cloud.google.com/support/bulletinshttps://www.cve.org/CVERecord?id=CVE-2025-9118

Contributed by https://github.com/korniko98

Entry Status

Finalized

Disclosure Date

Thu, Aug 21st, 2025

Exploitability Period

2025/08/07 to 2025/08/21

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Unknown

More vulnerabilities...

medium

AWS ECS Agent Information Disclosure Vulnerability

aws

A vulnerability in the Amazon ECS agent could allow an introspection server to be accessed off-host. This information disclosure issue, if exploited, could allow another instance in the same securi...

Amazon Web Services
high

Remote Prompt Injection in GitLab Duo Leaks Source Code

gitlab

A remote prompt injection vulnerability in GitLab Duo allowed attackers to steal source code from private projects, manipulate code suggestions, and exfiltrate confidential information. The attack ...

Omer Mayraz, Legit Security
high

AWS Security Tool Introduces Privilege Escalation Risk

aws

AWS's Account Assessment for AWS Organizations tool, designed to audit cross-account access, inadvertently introduced privilege escalation risks due to flawed deployment instructions. Customers wer...

Eliav Livneh, Token Security
View all