Nixpkgs security tracker
Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write
Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacts during normal install flows. (Normally, installing a malicious wheel is not sufficient for execution of malicious code. Malicious code will only be executed after installation if the malicious package is imported or invoked by the user.). This issue has been patched in version 2.3.3.
References
-
https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxp x_refsource_CONFIRM
-
https://github.com/python-poetry/poetry/pull/10792 x_refsource_MISC
-
https://github.com/python-poetry/poetry/releases/tag/2.3.3 x_refsource_MISC
Affected products
- ==>= 1.4.0, < 2.3.3
Matching in nixpkgs
pkgs.poetry
Python dependency management and packaging made easy
pkgs.poetry2conda
Script to convert a Python project declared on a pyproject.toml to a conda environment
pkgs.pipenv-poetry-migrate
This is simple migration script, migrate pipenv to poetry
pkgs.python312Packages.poetry-core
Poetry PEP 517 Build Backend
pkgs.python313Packages.poetry-core
Poetry PEP 517 Build Backend
pkgs.python314Packages.poetry-core
Poetry PEP 517 Build Backend
pkgs.poetryPlugins.poetry-plugin-up
Poetry plugin to simplify package updates
pkgs.python312Packages.poetry-semver
Semantic versioning library for Python
pkgs.python313Packages.poetry-semver
Semantic versioning library for Python
pkgs.python314Packages.poetry-semver
Semantic versioning library for Python
pkgs.poetryPlugins.poetry-audit-plugin
Poetry plugin for checking security vulnerabilities in dependencies
pkgs.poetryPlugins.poetry-plugin-shell
Poetry plugin to run subshell with virtual environment activated
pkgs.poetryPlugins.poetry-plugin-export
Poetry plugin to export the dependencies to various formats
-
nixos-25.11 1.9.0-unstable-2025-09-14
- nixos-25.11-small 1.9.0-unstable-2025-09-14
- nixpkgs-25.11-darwin 1.9.0-unstable-2025-09-14
pkgs.poetryPlugins.poetry-plugin-migrate
Poetry plugin to migrate pyproject.toml from Poetry v1 to v2 (PEP-621 compliant)
pkgs.poetryPlugins.poetry-plugin-poeblix
Poetry Plugin that adds various features that extend the poetry command such as building wheel files with locked dependencies, and validations of wheel/docker containers
pkgs.python312Packages.poetry-dynamic-versioning
Plugin for Poetry to enable dynamic versioning based on VCS tags
pkgs.python313Packages.poetry-dynamic-versioning
Plugin for Poetry to enable dynamic versioning based on VCS tags
pkgs.python314Packages.poetry-dynamic-versioning
Plugin for Poetry to enable dynamic versioning based on VCS tags
Package maintainers
-
@gador Florian Brandes <florian.brandes@posteo.de>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
-
@jbaum98 Jake Waksbaum <jake.waksbaum@gmail.com>
-
@cpcloud Phillip Cloud
-
@hennk Henning Kiel <henning.kiel@gmail.com>
-
@K900 Ilya K. <me@0upti.me>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@natsukium Tomoya Otabi <nixpkgs@natsukium.com>
-
@zevisert Zev Isert <dev@zevisert.ca>