CVE-2025-9118

10.0

Critical

Published:25 Aug 2025

Last updated:17 Jun 2026

Source:f45cbf4e-4146-4068-b7e1-655ffc2c548c

Deferred

Weakness (CWE)

CWE-22Path Traversal

CVSS Vector

v4.0

Attack Vector: Network
Attack Complexity: Low
Attack Requirements: None
Privileges Required: None
User Interaction: None
Confidentiality (Vulnerable): High
Integrity (Vulnerable): High
Availability (Vulnerable): None
Confidentiality (Subsequent): High
Integrity (Subsequent): High
Availability (Subsequent): High

View on MITRE Find PoC on GitHub

Description

A path traversal vulnerability in the NPM package installation process of Google Cloud Dataform allows a remote attacker to read and write files in other customers' repositories via a maliciously crafted package.json file.

References

f45cbf4e-4146-4068-b7e1-655ffc2c548c

https://cloud.devsite.corp.google.com/dataform/docs/security-bulletins#gcp-2025-045