CVE-2025-55214: 
Python vulnerability analysis and mitigation

CVE-2025-55214 affects the Copier library and CLI app (versions 7.1.0 to 9.9.1), which is used for rendering project templates. The vulnerability was discovered and disclosed on August 18, 2025. The issue allows a malicious template to write files outside the intended destination directory, even when using supposedly 'safe' templates that don't require the --UNSAFE or --trust flags (GitHub Advisory).

The vulnerability stems from the ability to manipulate rendered directory paths using Copier's built-in pathjoin Jinja filter and _copier_conf.sep variable (platform-native path separator). This allows the creation of paths that are either relative parent paths or absolute paths, circumventing the intended directory restrictions. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N. The issue is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (GitHub Advisory, NVD).

When exploited, this vulnerability allows a malicious template author to create templates that can overwrite arbitrary files on the system, limited only by the user's write permissions. This poses a significant risk as it can be used to cause system damage or data loss, even when users believe they are using a 'safe' template (GitHub Advisory).

The vulnerability has been fixed in version 9.9.1 of Copier. Users should upgrade to this version or later to protect against this security issue. No workarounds are available for affected versions (GitHub Advisory).