CVE-2025-8917: 
ClearML Server vulnerability analysis and mitigation

A path traversal vulnerability was discovered in allegroai/clearml version v2.0.1, identified as CVE-2025-8917. The vulnerability was discovered on October 5, 2025, and was disclosed through huntr.dev. The vulnerability affects the safe_extract function in the clearml software package, which improperly handles symbolic and hard links (NVD).

The vulnerability stems from improper handling of symbolic and hard links in the safe_extract function. The issue is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The vulnerability has been assigned a CVSS v3.0 base score of 5.8 (Medium) with the vector string CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N (NVD, Huntr).

The vulnerability can lead to arbitrary file writes outside the intended directory through path traversal attacks. If successfully exploited, this could potentially result in remote code execution if critical files are overwritten (NVD).

A fix has been implemented in the clearml repository through commit 64fb2bcbdbb87a74af90dd723d5ef4a99fceeb73. The patch includes additional checks for symbolic and hard links, and proper path validation to prevent directory traversal attacks (Github Commit).