PyPI: pydicom

CVE-2026-32711

Safety vulnerability ID: SFTY-20260320-32618

Safety legacy ID: pyup.io-89906

Affected versions of the pydicom package are vulnerable to Path Traversal due to improper validation of ReferencedFileID paths against the File-set root. In src/pydicom/fileset.py, RecordNode._file_id converts ReferencedFileID directly into a Path, FileSet.load() only resolves the path to confirm it exists, and public workflows including FileSet.copy(), FileSet.write(), and remove()+write(use_existing=True) perform file operations without verifying that the resolved path remains inside the intended File-set root.

PythonPyPINVDNVDGitHubGHSA
Created at: Mar 23, 2026Updated at: Mar 23, 2026

Overview

pydicom has a path traversal in FileSet/DICOMDIR ReferencedFileID allows file access outside the File-set root

Advisory

Affected versions of the pydicom package are vulnerable to Path Traversal due to improper validation of ReferencedFileID paths against the File-set root. In src/pydicom/fileset.py, RecordNode._file_id converts ReferencedFileID directly into a Path, FileSet.load() only resolves the path to confirm it exists, and public workflows including FileSet.copy(), FileSet.write(), and remove()+write(use_existing=True) perform file operations without verifying that the resolved path remains inside the intended File-set root.

Affected Package

Affecting pydicom package, versions
>=3.0.0,<=3.0.1
<2.4.5

Also affects

---

How to Fix

Upgrade
pydicom
to
3.0.2
2.4.5
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more