Directory Traversal Affecting docker-29 package, versions <29.2.1-r0


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.21% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-WOLFILATEST-DOCKER29-15382071
  • published4 Mar 2026
  • disclosed27 Jan 2026

Introduced: 27 Jan 2026

CVE-2026-24686  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade Wolfi docker-29 to version 29.2.1-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream docker-29 package and not the docker-29 package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (repoName) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a repoName containing traversal (e.g., ../escaped-repo) and cause go-tuf to create directories and write the root metadata file outside the intended LocalMetadataDir cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch.

CVSS Base Scores

version 3.1