GHSA-rgrf-6mf5-m882
LOWcdo-local-uuid vulnerable to insertion of artifact derived from developer's Present Working Directory into demonstration code
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
cdo-local-uuid🐍case-utils🐍case-utils🐍case-utils🐍case-utils🐍case-utils🐍case-utils🐍case-utils+3 moreReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Impact
What kind of vulnerability is it? Who is impacted?
An information leakage vulnerability is present in cdo-local-uuid at version 0.4.0, and in case-utils in unpatched versions (matching the pattern 0.x.0) at and since 0.5.0, before 0.15.0.
The vulnerability stems from a Python function, cdo_local_uuid.local_uuid(), and its original implementation case_utils.local_uuid(). Henceforth, both will be called local_uuid().
local_uuid() generates UUIDv5s using a deterministic pseudorandom number stream. This was written to make graph application demonstrations generate consistent, version-controllable output with minimal noise caused by demonstration re-runs. Part of the information used to keep individual examples' generated output distinct from one another is seed information from the caller's environment, particularly the program's argument vector. The present working directory is also included as part of the seed information, but for reasons including maintaining user environment privacy, as well as keeping generated identifiers consistent regardless of where a source tree is housed on a user's file system, the present working directory is trimmed from the left to exclude path information outside of a supplied "Top" source directory. (In context of the Make scripting language, this "top" directory is typically in a variable called top_srcdir. In context of Git-based project management, this directory is expected to be the root directory of a freshly "Cloned" project, e.g., where .git is stored.)
Under certain conditions, a user's present working directory, as an absolute path, was incorporated into seed data for the local_uuid() deterministic pseudorandom number stream. This violates an expectation made in the documented purpose of the local_uuid() function, and leaks information about a calling user's environment.
The conditions are:
- Given a project with top source directory
top_srcdir, for instance/home/user1/Documents/Project1; - Given a Python script housed directly in
top_srcdir, for instance at${top_srcdir}/example.py, written to support the deterministic mode oflocal_uuid(); - Given a call to that Python script that follows the documentation for
local_uuid();
The absolute path for top_srcdir was then included in the seed information for the UUIDv5 stream, when what was intended was a relative path spelling. That is, instead of ./example.py being in the seed data, /home/user1/Documents/Project1/example.py was in the seed data.
This does not leak the present working directory directly. But, given other knowledge of how a program had been called to generate data using local_uuid() under these conditions, it becomes possible to determine that a chosen path can lead to a known UUIDv5 value. Note that it is not necessarily knowable that the chosen path is the only solution to a sequence reconstruction; but, the path can be confirmed to be a solution.
Patches
Has the problem been patched? What versions should users upgrade to?
The issue has been patched, in the cdo-local-uuid source repository and the case-utils source repository.
Users should upgrade to any of these versions minimally:
case-utils == 0.5.1case-utils == 0.6.1case-utils == 0.7.1case-utils == 0.8.1case-utils == 0.9.1case-utils == 0.10.1case-utils == 0.11.1case-utils == 0.12.1case-utils == 0.13.1case-utils == 0.14.1case-utils >= 0.15.0cdo-local-uuid == 0.5.0
All case-utils releases that contain the patch have the commit ea630cce66b26dae6d7fa7e02451d6e25456a5f2 in their Git history. Anyone interested in confirming the presence of this commit in a certain branch or tag can run the following test (written in Bash), substituting the desired branch name for the assigned value of my_git_ref_of_interest:
#!/bin/bash
# Present working directory ($PWD) should be in a clone of this repository:
# https://github.com/casework/CASE-Utilities-Python
my_git_ref_of_interest=main
test \
"xea630cce66b26dae6d7fa7e02451d6e25456a5f2" \
== \
"x$(git merge-base ea630cc ${my_git_ref_of_interest})"
echo $? # Should print '0'
Note that other releases have been posted atop some of those minimal versions recommended for upgrading, named, e.g., 0.5.1.post0. These releases were posted to update internal library version numbers, and otherwise contain no functional changes, in accordance with Python Packaging guidance:
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
If the script calling cdo_local_uuid.local_uuid() is moved out of the "Top" source directory, the issue is addressed.
References
Are there any links users can visit to find out more?
The issue is addressed in this Pull Request:
Tests to reproduce the issue's conditions and confirm it has been addressed are in this Pull Requested:
<!-- CVSS3.1 vector determined by rubric diagrams at this page: https://www.first.org/cvss/v3.1/user-guide -->Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | cdo-local-uuid | ≥ 0.4.0&&< 0.5.0 | 0.5.0 |
| 🐍PyPI | case-utils | ≥ 0.5.0&&< 0.5.1 | 0.5.1 |
| 🐍PyPI | case-utils | ≥ 0.6.0&&< 0.6.1 | 0.6.1 |
| 🐍PyPI | case-utils | ≥ 0.7.0&&< 0.7.1 | 0.7.1 |
| 🐍PyPI | case-utils | ≥ 0.8.0&&< 0.8.1 | 0.8.1 |
| 🐍PyPI | case-utils | ≥ 0.9.0&&< 0.9.1 | 0.9.1 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for cdo-local-uuid. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update cdo-local-uuid to 0.5.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-rgrf-6mf5-m882 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-rgrf-6mf5-m882 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-rgrf-6mf5-m882. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-rgrf-6mf5-m882 in your dependencies?
O3 detects GHSA-rgrf-6mf5-m882 across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.