Command Injection Affecting dar-backup package, versions [,0.8.2)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-DARBACKUP-13807335
- published2 Nov 2025
- disclosed1 Nov 2025
- creditUnknown
Introduced: 1 Nov 2025
New CVE NOT AVAILABLE CWE-78 (opens in a new tab)How to fix?
Upgrade dar-backup to version 0.8.2 or higher.
Overview
dar-backup is an A script to do full, differential and incremental backups using dar. Some files are restored from the backups during verification, after which par2 redundancy files are created. The script also has a cleanup feature to remove old backups and par2 files.
Affected versions of this package are vulnerable to Command Injection due to insufficient sanitization of command arguments in the CommandRunner.run() method. An attacker can execute arbitrary commands by injecting shell metacharacters (such as ;, &, |, etc.) in arguments that bypass the sanitize_cmd(cmd) checks.