CVE ID: CVE-2025-9118
CVSS v4.0: 10.0 Critical (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N)
Publish Date: August 25, 2025
TL;DR
A critical path traversal vulnerability exists in Google Cloud Dataform’s NPM package installation process. A remote, unauthenticated attacker can craft a malicious package.json
to read from and write to other customers’ repositories. This could allow unauthorized access or modification of sensitive data across tenants. Google has patched the issue, and no further customer action is required.
Affected Versions
- Google Cloud Dataform environments that use the NPM package installation mechanism prior to the August 21, 2025 security bulletin (GCP-2025-045).
Vulnerability Details
- Type: Path traversal (CWE-22) during NPM package installation
- Description: A crafted
package.json
could bypass path restrictions, enabling an attacker to read and write to other customers’ repositories. - Exploitability: Remote, unauthenticated, no user interaction required
- Impact: High risk to confidentiality and integrity, with potential for unauthorized data access and tampering
Recommended Action
- No customer action required — Google has fully applied mitigations across all affected Dataform services as of the GCP-2025-045 bulletin.
- Customers should continue to:
- Monitor repositories for unexpected changes
- Stay up to date with Google Cloud security bulletins
Affected Environments
- Multi-tenant Google Cloud Dataform setups using NPM package installs
- Highest risk for organizations sharing repositories or infrastructure across tenants
TTP Mapping (MITRE ATT&CK)
- Initial Access / Execution: Path traversal via malicious
package.json
during NPM install (CWE-22) - Impact: Unauthorized repository access leading to loss of confidentiality and integrity
References
- Google Cloud Security Bulletin GCP-2025-045
- Tenable CVE-2025-9118 Summary
- OffSeq Radar Analysis of CVE-2025-9118
- CVEDetails Entry for CVE-2025-9118
Disclaimer
This post summarizes publicly available information for cybersecurity awareness and remediation planning. No exploit code or sensitive operational details are provided.