PyPI: dbt-common

CVE-2026-29790

Safety vulnerability ID: SFTY-20260305-15357

Safety legacy ID: pyup.io-88432

Affected versions of the dbt-common package are vulnerable to Path Traversal due to improper path validation when extracting tarball archives. The safe_extract() function uses os.path.commonprefix() to verify that archive members remain under the intended extraction directory, but because commonprefix() compares paths character-by-character instead of by path components, a crafted tarball can cause files to be written to sibling directories with matching prefixes.

PythonPyPINVDNVDGitHubGHSA
Created at: Mar 13, 2026Updated at: Mar 13, 2026

Overview

dbt-common's commonprefix() doesn't protect against path traversal

Advisory

Affected versions of the dbt-common package are vulnerable to Path Traversal due to improper path validation when extracting tarball archives. The safe_extract() function uses os.path.commonprefix() to verify that archive members remain under the intended extraction directory, but because commonprefix() compares paths character-by-character instead of by path components, a crafted tarball can cause files to be written to sibling directories with matching prefixes.

Affected Package

Affecting dbt-common package, versions
<1.34.2
>=1.35.0, <1.37.3

Also affects

---

How to Fix

Upgrade
dbt-common
to
1.34.2
1.37.3
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more