Incorrect Default Permissions Affecting bzfs package, versions [,1.14.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Incorrect Default Permissions vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-BZFS-14172757
- published4 Dec 2025
- disclosed2 Dec 2025
- creditUnknown
Introduced: 2 Dec 2025
New CVE NOT AVAILABLE CWE-276 (opens in a new tab)How to fix?
Upgrade bzfs to version 1.14.0 or higher.
Overview
bzfs is a bzfs is a reliable near real-time, parallel replication and backup command-line tool for ZFS. It replicates snapshots from many local or remote source ZFS datasets (and their descendants) to local or remote destination datasets, using zfs send/receive and ssh, and can operate at sub-second intervals across large fleets of hosts.
Affected versions of this package are vulnerable to Incorrect Default Permissions due to the use of os.makedirs() without enforcing a restrictive umask when creating temporary directories. This causes the directories to inherit overly permissive default permissions, allowing unauthorized users to read or modify sensitive files stored within them. An attacker can exploit this by accessing or tampering with these improperly protected directories, potentially leading to information disclosure or data corruption.