Description
The consul-template library before version 0.42.1 is vulnerable to a path redirection issue in the writeToFile template helper that may allow template output to be written outside the intended directory or to overwrite an existing file. This vulnerability (CVE-2026-14361) is fixed in consul-template 0.42.1.
Problem types
CWE-59: Improper Link Resolution Before File Access (Link Following)
Product status
0.1.0 (semver) before 0.42.1
Credits
This issue was reported to HashiCorp by Mohamed Abdelaal (0xmrma).
References
discuss.hashicorp.com/...h-redirections-in-writetofile/77559