Directory Traversal Vulnerability in Internet Archive Python Library
CVE-2025-58438

9.4CRITICAL

Key Information:

Vendor: Jjjake
Status: Internetarchive
Vendor: CVE Published:; 6 September 2025

What is CVE-2025-58438?

The Internet Archive library has a directory traversal vulnerability in the File.download() method that affects versions 5.5.0 and earlier. This issue arises from inadequate sanitization of user-supplied filenames and improper validation of the download path, potentially allowing attackers to manipulate file paths using traversal sequences. Consequently, an attacker could craft a filename that causes files to be written outside the intended directory, presenting risks such as overwriting important system files or application configurations. Such vulnerabilities could subsequently lead to denial of service, privilege escalation, or even remote code execution. This issue presents heightened risks, particularly for users operating on Windows systems, but impacts all platforms. The vulnerability is addressed in version 5.5.1.

Affected Version(s)

internetarchive < 5.5.1

References

https://github.com/jjjake/internetarchive/security/adviso...

x_refsource_CONFIRM

https://github.com/jjjake/internetarchive/commit/cba2d459...

x_refsource_MISC

https://github.com/jjjake/internetarchive/releases/tag/v5...

x_refsource_MISC

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 6, 2025
Vulnerability Reserved
Sep 1, 2025

Jjjake

What is CVE-2025-58438?

Affected Version(s)

References

CVSS V4

Timeline