Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

Description

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacts during normal install flows. (Normally, installing a malicious wheel is not sufficient for execution of malicious code. Malicious code will only be executed after installation if the malicious package is imported or invoked by the user.). This issue has been patched in version 2.3.3.

Affected Products

Vendor	Product	Versions
python software foundation	poetry	pip/poetry: >= 1.4.0, <= 2.3.2

References

https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxp(x_refsource_CONFIRM)
https://github.com/python-poetry/poetry/pull/10792(x_refsource_MISC)
https://github.com/python-poetry/poetry/releases/tag/2.3.3(x_refsource_MISC)
http://github.com/python-poetry/poetry/commit/ed59537ac3709cfbdbf95d957de801c13872991a(x_refsource_MISC)

Related News (2 articles)

Tier A

Microsoft MSRC4h ago

CVE-2026-34591 Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

→ No new info (linked only)

Tier C

VulDB4d ago

CVE-2026-34591 | python-poetry up to 2.3.2 on Python path traversal (GHSA-2599-h6xx-hpxp)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

poetry@2.3.3

CWECWE-22

PublishedApr 1, 2026

Last enriched4d agov2

Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

Description

Affected Products

References

Related News (2 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History