VDB

CVE-2025-9118

CVE-2025-9118 PUBLISHED CVSS 10 CRITICAL

A path traversal vulnerability in the NPM package installation process of Google Cloud Dataform allows a remote attacker to read and write files in other customers' repositories via a maliciously crafted package.json file.

EPSS 0.40% · 61.2th percentile

Risk Scores

CVSS 4.0
10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H
EPSS Score
0.40%
61.2th percentile

Affected Products

VendorProductVersions
Google CloudDataform08/7/2025

Timeline

  • Aug 25, 2025 EPSS Score
  • Aug 25, 2025 CVE Published
  • Aug 25, 2025 PoC Published
  • Aug 25, 2025 PoC Published
  • Aug 25, 2025 PoC Published
  • Aug 25, 2025 PoC Published
  • Aug 25, 2025 CVE Updated
  • Aug 25, 2025 PoC Published
  • Aug 25, 2025 PoC Published
  • Aug 25, 2025 PoC Published
  • Sep 2, 2025 EPSS Score
  • Sep 2, 2025 PoC Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›