Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.
Fixed in Black 26.3.1.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 4
https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d
security-advisories@github.com
https://github.com/psf/black/pull/5038
security-advisories@github.com
https://github.com/psf/black/releases/tag/26.3.1
security-advisories@github.com
https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
security-advisories@github.com