python · pydantic-settingsHeads-up
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir
NestedSecretsSettingsSource in pydantic-settings follows symbolic links pointing outside the configured secrets_dir, bypassing the secrets_dir_max_size protecti
What changed
NestedSecretsSettingsSource in pydantic-settings follows symbolic links pointing outside the configured secrets_dir, bypassing the secrets_dir_max_size protection and allowing unintended local file reads into settings values.
Who it affects
Applications using NestedSecretsSettingsSource with secrets_nested_subdir=True and a secrets_dir whose entries can be influenced by an attacker or lower-privileged component.
What to do today
Upgrade to pydantic-settings 2.14.2 or ensure the configured secrets_dir is fully controlled and avoid secrets_nested_subdir=True if upgrading is not possible.
The trail
Collected→
Audited→
Written→
Published