Fluid Attacks Database

Description

Shamefile has an arbitrary file read via shamefile.yaml in shame next

Impact

A path traversal vulnerability in shame next allows an attacker-controlled shamefile.yaml to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details.

Patches

Fixed in 0.1.7. Upgrade to either 0.1.7 or later versions to incorporate the patch.

Workarounds

Do not run shame next against untrusted shamefile.yaml. Use shame me --dry-run for CI validation.

Resources

Patch commit: https://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc43557

Pull request: https://github.com/BKDDFS/shamefile/pull/80

Release: https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
cargo	shamefile	>=0 <0.1.7 \|\| >=0 <0.1.7 \|\| >=0 <0.1.7	0.1.7, 0.1.7, 0.1.7

Aliases

1. CVE-2026-471442. NVD-2026-471443. OSV-2026-471444. GHSA-x6p3-76f2-xxvh5. GCVE-2026-47144

References

1. https://github.com/BKDDFS/shamefile/security/advisories/GHSA-x6p3-76f2-xxvh2. https://github.com/BKDDFS/shamefile/pull/803. https://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc435574. https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7