GHSA-4xgf-cpjx-pc3j: Directory Traversal and Symlink Following in Pydantic Settings

The library pydantic-settings is a widely adopted configuration management framework for Python applications, building upon Pydantic to parse environment and filesystem values. Inside this framework, the NestedSecretsSettingsSource class handles the resolution of secrets from a designated directory, mapping on-disk files to configuration properties. When the secrets_nested_subdir option is enabled, the library reads these subdirectories recursively, which maps complex directory hierarchies into nested model structures.

The security model of the secrets directory loader assumes that files are strictly retrieved from the directory designated by the secrets_dir parameter. To prevent uncontrolled system resource consumption, developers can define a size ceiling using the secrets_dir_max_size setting. This check is designed to prevent the application from reading arbitrarily large files into active process memory during startup.

However, a serious security discrepancy exists within the directory-traversal and file-scanning operations of this component. The library fails to validate whether resolved file paths remain within the boundary of the configured root directory. Consequently, local privilege escalation or arbitrary file disclosure can occur if an attacker can manipulate files or insert symbolic links in the target directory.

The core vulnerability arises from a logic discrepancy between the validation routines and the file loading mechanisms. During the validation phase, NestedSecretsSettingsSource executes a size check using pathlib.Path.glob('**/*') to verify that the total directory size does not exceed the limit. In standard Python runtime environments, pathlib.Path.glob does not descend into symbolic links that reference external directories.

Directly following this check, the loading phase is initiated using glob.iglob with recursive=True to retrieve configuration keys. Unlike the validation routine, glob.iglob automatically follows symbolic links pointing to external directories on the host filesystem. This inconsistent behavior allows symbolic links to bypass the maximum file size validation checks entirely.

An attacker can exploit this behavior by placing a directory symbolic link pointing to a sensitive system folder inside the designated secrets directory. The size check calculates the symbolic link size as zero bytes, bypassing the secrets_dir_max_size safety boundary. The loader subsequently resolves the link and reads the targeted external files into the application memory space.

In addition to information leakage, this logic flaw exposes the application to a denial-of-service condition. Because glob.iglob does not maintain a history of visited directories, cyclic symbolic links trigger infinite recursive loops during loading. This behavior leads to excessive CPU and memory consumption, eventually crashing the application process.

To analyze the implementation discrepancy, we examine the vulnerable code path inside nested_secrets.py. The validation step computes the total directory size using path.glob:

# Vulnerable validation implementation
secrets_dir_size = sum(f.stat().st_size for f in path.glob('**/*') if f.is_file())

Directly after the size validation check, the file loading pass uses the standard glob.iglob function:

# Vulnerable file loader implementation
return {
    str(p.relative_to(path)): p.read_text().strip()
    for p in map(Path, iglob(f'{path}/**/*', recursive=True))
    if p.is_file()
}

The patch resolves this discrepancy by replacing the differing glob libraries with a custom directory walker named _iter_secret_files. This custom walker explicitly tracks visited directories in a set named seen_dirs and computes canonical paths using Path.resolve(). If a directory has already been visited, the loop terminates immediately, preventing cyclic symlink loops.

# Patched recursive walker preventing traversal and cyclic loops
seen_dirs: set[Path] = set()
 
def walk(directory: Path) -> Iterator[Path]:
    resolved_dir = directory.resolve()
    if resolved_dir in seen_dirs:
        return
    seen_dirs.add(resolved_dir)
    try:
        entries = sorted(directory.iterdir())
    except OSError:
        return
    for entry in entries:
        resolved = entry.resolve()
        if resolved.is_dir():
            if resolved == path or path in resolved.parents:
                yield from walk(entry)
        elif resolved.is_file() and path in resolved.parents:
            yield entry

Both the size validation engine and the loader call this unified iterator, ensuring that the processed file sets are identical. Symbolic links pointing to files outside the designated secrets_dir are rejected because the condition path in resolved.parents is not met. This prevents out-of-bounds files from contributing to the size computation or being read during initialization.

Exploitation requires that an attacker have sufficient local permissions to create or modify files inside the configured secrets_dir path. This scenario frequently occurs in multi-tenant environments, shared hosting platforms, or systems where container volumes are exposed to unprivileged users. The attacker must also target an application with secrets_nested_subdir enabled on NestedSecretsSettingsSource.

To initiate the exploit, the attacker maps out the physical layout of the application's configuration directory. They inject a symbolic link pointing to a sensitive file or directory located elsewhere on the host machine:

ln -s /etc/passwd secrets_dir/database_config

When the host application initializes, the size validation check processes database_config as a zero-byte entry, bypassing the limit. The loader then processes the virtual relative path database_config and executes p.read_text().strip() on the target /etc/passwd. The contents of the target file are loaded directly into the Pydantic schema parameter assigned to the database configuration.

To execute a denial-of-service attack, the attacker constructs a self-referential directory structure. By running ln -s ../ secrets_dir/loop, the loader enters an infinite traversal cycle. This recursion consumes execution resources, causing CPU exhaustion and memory inflation that terminates the parent process.

The confidentiality impact of this vulnerability is moderate depending on the access controls of the execution environment. If the application runs under a privileged user context, an attacker can extract sensitive system files such as password databases or service tokens. This information leakage occurs silently during startup, making detection difficult without structural filesystem auditing.

The integrity of file loading mechanisms is compromised because the size constraints set by developers are bypassed. Large external files are loaded into memory without throwing size validation exceptions, which can result in heap fragmentation or out-of-memory errors. This behavior invalidates the effectiveness of configuration safeguards.

Availability threats are high due to the lack of cyclic path detection in the older loader implementation. A single cyclic symbolic link can cause a persistent denial-of-service state on application startup. In automated container environments, this crash behavior can trigger infinite restart loops, leading to cluster instability.

The CVSS score of 5.3 reflects the requirement of local filesystem write privileges to execute the attack. However, in containerized deployments or cloud infrastructure where secrets directories are shared across pods, this vulnerability can serve as a vector for container escape or lateral movement.

The definitive remediation path is upgrading the pydantic-settings dependency to version 2.14.2 or later. This version introduces the unified custom directory walker that restricts symbolic links and prevents recursive loops. Upgrading can be verified by checking that _iter_secret_files is present in the NestedSecretsSettingsSource class.

If upgrading is not immediately possible, disabling nested subdirectory configuration is an effective workaround. Setting the parameter secrets_nested_subdir=False stops the recursive scanning behavior and prevents the loader from descending into directory symbolic links. This configuration effectively neutralizes the primary traversal vector.

Additionally, administrators should apply strict filesystem permissions to the secrets_dir path. Restricting directory access with a 0700 permission mask ensures that only the application runtime user can read or write configuration files. This permission restriction prevents lower-privileged local users from injecting malicious symbolic links.

Finally, deployment workflows should integrate automated filesystem scanning to identify illegal symbolic links in configuration directories. Running file auditing commands during container startup can detect symlinks pointing to paths outside the deployment root. If external links are detected, the container initialization sequence should be aborted.