Path Traversal in Python-poetry Poetry

CVE-2026-41140

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailab…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (25.5th percentile) — read the EPSS interpretation.

Affected products

Python-poetry Poetry — versions < 2.3.4

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/python-poetry/poetry/security/advisories/GHSA-73h3-mf4w-8647 (x_refsource_CONFIRM)