CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

DSA-6386-1 opam - security update

unknownCVE-2026-57825
Kate Deplaix reported that .install file directives were insufficiently restricted in OPAM, a package manager for OCaml. Installing files through .install files did not check symlinks resolution on the target path, which could result in directory traversal out of the package area. https://security-tracker.debian.org/tracker/DSA-6386-1

CSIRTS triage

What
Insufficient restrictions in .install file directives can lead to directory traversal vulnerabilities.
Who is affected
Users of OPAM who install packages are affected.
Urgency
Remediation is necessary as exploitation is possible, though the severity is unknown.
Action
Users should update OPAM to the latest version to mitigate this issue.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch OPAM

Get an email when a new OPAM advisory drops — max one per day, one-click unsubscribe.

Details

Source
Debian Security Advisories (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://lists.debian.org/debian-security-announce/2026/msg00297.html

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-57825coverage & exploitation statusNVD · CVE.org

More from Debian Security Advisories