{"id":"GHSA-v856-2rf8-9f28","summary":"pydicom has a path traversal in FileSet/DICOMDIR ReferencedFileID allows file access outside the File-set root","details":"### Summary\nA crafted `DICOMDIR` can set `ReferencedFileID` to a path outside the File-set root. `pydicom` resolves the path only to confirm that it exists, but does not verify that the resolved path remains under the File-set root. Subsequent public `FileSet` operations such as `copy()`, `write()`, and `remove()+write(use_existing=True)` use that unchecked path in file I/O operations. This allows arbitrary file read/copy and, in some flows, move/delete outside the File-set root.\n\n### Details\nVerified on `pydicom 3.1.0.dev0`.\n\nRelevant logic is in `src/pydicom/fileset.py`:\n\n- `RecordNode._file_id` converts `ReferencedFileID` directly to `Path(...)`\n- `FileSet.load()` checks only `(root / file_id).resolve(strict=True)` to confirm existence\n- `FileSet.load()` does not verify that the final resolved path is contained within the File-set root\n- `FileInstance.path` returns `self.file_set.path / self.node._file_id`\n- `FileSet.copy()` uses `shutil.copyfile(instance.path, dst)`\n- `FileSet.write()` uses `Path(instance.path).unlink()` and `shutil.move(...)`\n\nBecause there is no containment check such as `resolved.relative_to(root.resolve(strict=True))`, a malicious `DICOMDIR` can reference:\n\n- absolute paths such as `/etc/passwd`\n- traversal paths such as `../...`\n- syntactically conformant file IDs that escape via symlinks\n\nThis is not limited to obviously invalid VR input. Even when `pydicom` emits warnings for invalid `ReferencedFileID` values, the operation is not blocked. I also confirmed a symlink-based variant using a conformant file ID.\n\nA realistic server-side scenario is:\n\n1. a user uploads a DICOM File-set zip\n2. the server loads the uploaded `DICOMDIR` using `FileSet`\n3. the server re-exports or reorganizes the File-set using `FileSet.copy()` or `FileSet.write()`\n4. a server-local file referenced by the malicious `DICOMDIR` is included in the exported result\n\n### PoC\nMinimal reproduction:\n\n1. Copy a sample File-set that contains a valid `DICOMDIR`\n2. Modify one `DirectoryRecordSequence` item so that `ReferencedFileID = \"/etc/passwd\"` (or `/tmp/secret.txt`)\n3. Load it with `FileSet(ds)` or `FileSet(path_to_dicomdir)`\n4. Call `FileSet.copy(new_root)`\n5. Observe that the exported File-set contains the contents of the referenced external file\n\nExample:\n\n```python\nfrom pathlib import Path\nfrom tempfile import mkdtemp\nimport shutil\nfrom pydicom import dcmread\nfrom pydicom.fileset import FileSet\n\nbase = Path(\"src/pydicom/data/test_files/dicomdirtests\")\nroot = Path(mkdtemp(prefix=\"fsroot_\"))\nout = Path(mkdtemp(prefix=\"fsout_\"))\n\nshutil.copy2(base / \"DICOMDIR\", root / \"DICOMDIR\")\nfor d in (\"77654033\", \"98892003\", \"98892001\"):\n    shutil.copytree(base / d, root / d)\n\nds = dcmread(root / \"DICOMDIR\")\nitem = next(x for x in ds.DirectoryRecordSequence if \"ReferencedFileID\" in x)\nitem.ReferencedFileID = \"/etc/passwd\"\n\nfs = FileSet(ds)\nfs.copy(out)\n```\n\nI also verified the issue in a simple web import/export demo where an uploaded malicious File-set caused /etc/passwd to be copied into the exported result.\n\nIf useful, I can provide the exact malicious sample and the demo environment separately.\n\n### Impact\nThis is a path traversal / root containment bypass in FileSet handling.\n\nObserved impact:\n\narbitrary file read/copy outside the File-set root via FileSet.copy()\narbitrary file move outside the File-set root via FileSet.write()\narbitrary file delete outside the File-set root via FileSet.remove(...); write(use_existing=True)\nAffected applications are those that accept untrusted DICOMDIR / File-set input and then call public FileSet workflows such as load(), copy(), write(), or remove().\n\nA realistic impact is server-side file disclosure in import/export workflows.","aliases":["CVE-2026-32711"],"modified":"2026-03-20T16:02:27.836150Z","published":"2026-03-20T15:57:01Z","database_specific":{"severity":"HIGH","github_reviewed_at":"2026-03-20T15:57:01Z","github_reviewed":true,"nvd_published_at":"2026-03-20T02:16:33Z","cwe_ids":["CWE-22"]},"references":[{"type":"WEB","url":"https://github.com/pydicom/pydicom/security/advisories/GHSA-v856-2rf8-9f28"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32711"},{"type":"WEB","url":"https://github.com/pydicom/pydicom/commit/6414f01a053dff925578799f5a7208d2ae585e82"},{"type":"PACKAGE","url":"https://github.com/pydicom/pydicom"},{"type":"WEB","url":"https://github.com/pydicom/pydicom/releases/tag/v3.0.2"}],"affected":[{"package":{"name":"pydicom","ecosystem":"PyPI","purl":"pkg:pypi/pydicom"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.0.0"},{"fixed":"3.0.2"}]}],"versions":["3.0.0","3.0.1"],"database_specific":{"last_known_affected_version_range":"\u003c= 3.0.1","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v856-2rf8-9f28/GHSA-v856-2rf8-9f28.json"}},{"package":{"name":"pydicom","ecosystem":"PyPI","purl":"pkg:pypi/pydicom"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.5"}]}],"versions":["0.9.1","0.9.2","0.9.3","0.9.4-1","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9","1.0.1","1.0.1rc1","1.0.2","1.1.0","1.2.0","1.2.0rc1","1.2.1","1.2.2","1.3.0","1.4.0","1.4.0rc1","1.4.1","1.4.2","2.0.0","2.0.0rc1","2.1.0","2.1.1","2.1.2","2.2.0","2.2.0rc1","2.2.1","2.2.2","2.3.0","2.3.1","2.4.0","2.4.1","2.4.2","2.4.3","2.4.4"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v856-2rf8-9f28/GHSA-v856-2rf8-9f28.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}