Description
The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/syoyo/tinygltf/commit/52ff00a38447f06a17eab1caa2cf0730a119c751
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/syoyo/tinygltf/issues/368
Exploit, Issue Tracking, Mailing List, Third Party Advisory x_refsource_misc
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49053
Product, Third Party Advisory x_refsource_misc
https://github.com/syoyo/tinygltf/blob/master/README.md
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5232
Scores
CVSS v3
8.1
EPSS
0.0846
EPSS Percentile
92.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-78
CWE-77
Status
published
Products (2)
debian/debian_linux
11.0
tinygltf_project/tinygltf
< 2.6.0
Published
Sep 05, 2022
Tracked Since
Feb 18, 2026