Gleam fixes git dependency path traversal file overwrite

2 min readPublished 11 Apr 2026Source: GitHub Security Advisory

CVE-2026-32146 News Supply Chain DevSecOps

TL;DR — A path traversal in Gleam’s git dependency download can delete/overwrite attacker-chosen directories (including .git/hooks), creating a practical supply-chain path to developer or CI runner compromise.

What happened

Gleam is a statically typed programming language and toolchain used to build BEAM (Erlang VM) applications (and also targets JavaScript). A GitHub security advisory published April 11, 2026 describes a path traversal / arbitrary path write issue in how Gleam handles git-based dependencies.

The advisory states that dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement. During dependency resolution (e.g., running gleam deps download), a malicious direct or transitive git dependency can cause filesystem operations (deletion/creation) to occur outside the intended dependency directory, including attacker-chosen absolute paths.

Item	Source value
Impact	Arbitrary file/directory deletion and overwrite outside the dependency directory; potential persistence or code execution if written to executed locations (e.g., `.git/hooks`)
Severity (source)	Moderate, CVSS v4 overall score 6.2
Affected versions (source)	`>= 1.9.0-rc1 and < 1.15.3 and < 1.16.0-rc1`
Patched versions (source)	`1.15.3`, `1.16.0-rc1`

What makes this operationally important is that it hits a phase teams often assume is “safe-ish” (dependency fetch/prepare), and it’s a clean fit for real-world supply-chain scenarios (malicious or compromised git dependency in a build pipeline).

Who is impacted

Projects that use git-based dependencies (direct or transitive) and run dependency install/update flows.
Developer workstations or CI runners that execute gleam deps download on untrusted code (e.g., PRs from forks, third-party templates, vendor “sample” repos, or compromised dependency sources).
Environments where overwriting sensitive paths can be chained into execution later (e.g., .git/hooks, shell startup files, build scripts).

What to do now

Follow vendor remediation guidance and move to a patched Gleam release identified in the advisory (1.15.3 or 1.16.0-rc1).
Apply the advisory’s stated workarounds where patching isn’t immediate:

Avoid using untrusted git dependencies, especially without pinning to a specific commit SHA

Review dependency trees carefully, including transitive git dependencies

Run dependency resolution commands in a restricted or isolated environment (e.g. containers)

Avoid running such commands in repositories containing sensitive data
Treat this as a CI hardening item: ensure dependency resolution for untrusted contributions runs in isolated, throwaway environments with tightly scoped filesystem permissions and limited credential/material access.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.