CVE-2023-40587: Pyramid is an open source Python web framework. A path traversal vulnerability in Pyramid versions 2.0.0 and 2.0.1 impacts users of Python 3.11 that a...

Description

Pyramid is an open source Python web framework. A path traversal vulnerability in Pyramid versions 2.0.0 and 2.0.1 impacts users of Python 3.11 that are using a Pyramid static view with a full filesystem path and have a `index.html` file that is located exactly one directory above the location of the static view's file system path. No further path traversal exists, and the only file that could be disclosed accidentally is `index.html`. Pyramid version 2.0.2 rejects any path that contains a null-byte out of caution. While valid in directory/file names, we would strongly consider it a mistake to use null-bytes in naming files/directories. Secondly, Python 3.11, and 3.12 has fixed the underlying issue in `os.path.normpath` to no longer truncate on the first `0x00` found, returning the behavior to pre-3.11 Python, un an as of yet unreleased version. Fixes will be available in:Python 3.12.0rc2 and 3.11.5. Some workarounds are available. Use a version of Python 3 that is not affected, downgrade to Python 3.10 series temporarily, or wait until Python 3.11.5 is released and upgrade to the latest version of Python 3.11 series.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

0.63%

45.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Agendaless	Pyramid	>= 2.0, < 2.0.2
Fedoraproject	Fedora	38
Fedoraproject	Fedora	39

References

https://github.com/Pylons/pyramid/commit/347d7750da6f45c7436dd0c31468885cc9343c85Patch
https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8Patch, Vendor Advisory
https://github.com/python/cpython/issues/106242Issue Tracking, Third Party Advisory
https://github.com/python/cpython/pull/106816Patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYSDTQ7NP5GHPQ7HBE47MBJQK7YEIYMF/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQIPHQTM3XE5NIEXCTQFV2J2RK2YUSMT/Mailing List
https://github.com/Pylons/pyramid/commit/347d7750da6f45c7436dd0c31468885cc9343c85Patch
https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8Patch, Vendor Advisory
https://github.com/python/cpython/issues/106242Issue Tracking, Third Party Advisory
https://github.com/python/cpython/pull/106816Patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYSDTQ7NP5GHPQ7HBE47MBJQK7YEIYMF/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQIPHQTM3XE5NIEXCTQFV2J2RK2YUSMT/Mailing List

Timeline

Published: Aug 25, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-40587?

Pyramid is an open source Python web framework. A path traversal vulnerability in Pyramid versions 2.0.0 and 2.0.1 impacts users of Python 3.11 that are using a Pyramid static view with a full filesystem path and have a `index.html` file that is located exactly one directory above the location of the static view's file system path. No further path traversal exists, and the only file that could be disclosed accidentally is `index.html`. Pyramid version 2.0.2 rejects any path that contains a null-byte out of caution. While valid in directory/file names, we would strongly consider it a mistake to use null-bytes in naming files/directories. Secondly, Python 3.11, and 3.12 has fixed the underlying issue in `os.path.normpath` to no longer truncate on the first `0x00` found, returning the behavior to pre-3.11 Python, un an as of yet unreleased version. Fixes will be available in:Python 3.12.0rc2 and 3.11.5. Some workarounds are available. Use a version of Python 3 that is not affected, downgrade to Python 3.10 series temporarily, or wait until Python 3.11.5 is released and upgrade to the latest version of Python 3.11 series.

How severe is CVE-2023-40587?

CVE-2023-40587 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.63% probability of exploitation in the next 30 days.

How do I fix CVE-2023-40587?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.