Skip to content

Path Traversal and XSS in Include directive

High
lepture published GHSA-h7ww-273w-6cm8 Jun 21, 2026

Package

pip mistune (pip)

Affected versions

<= 3.2.0

Patched versions

3.3.0

Description

The Include directive in src/mistune/directives/include.py does not validate that the resolved file path stays within the source directory, allowing path traversal via ../ sequences to read arbitrary files.

Additionally, error messages and included file contents are rendered without HTML escaping, leading to XSS even when escape=True.

Affected functions:

  • Path resolution (lines 27-31)
  • block_error() in html.py (line 140)
  • render_html_include() (line 72)

The Include plugin must be explicitly enabled via the plugins parameter.

Severity

High

CVE ID

No known CVE

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

Credits