Path Traversal Vulnerability in Google Cloud Dataform NPM Package Installation
CVE-2025-9118

10CRITICAL

Key Information:

Vendor: Google Cloud
Status: Dataform
Vendor: CVE Published:; 25 August 2025

🔔 Create Google Cloud Vulnerability Alert

What is CVE-2025-9118?

A path traversal vulnerability exists within the NPM package installation process of Google Cloud Dataform. This issue enables remote attackers to exploit a maliciously crafted package.json file, potentially allowing unauthorized access to read or write files in other users' repositories. This vulnerability poses significant risks to data integrity and security, emphasizing the importance of secure coding practices and vigilant monitoring of package dependencies.

Affected Version(s)

Dataform 08/7/2025 < 08/21/2025

References

https://cloud.devsite.corp.google.com/dataform/docs/secur...

vendor-advisory

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 25, 2025
Vulnerability Reserved
Aug 18, 2025

Credit

Tomas Lažauninkas

JSON