CVE-2025-9118: Google Cloud Dataform NPM Path Traversal Vulnerability

CVE ID: CVE-2025-9118
CVSS v4.0: 10.0 Critical (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N)
Publish Date: August 25, 2025

TL;DR

A critical path traversal vulnerability exists in Google Cloud Dataform’s NPM package installation process. A remote, unauthenticated attacker can craft a malicious package.json to read from and write to other customers’ repositories. This could allow unauthorized access or modification of sensitive data across tenants. Google has patched the issue, and no further customer action is required.

Affected Versions

• Google Cloud Dataform environments that use the NPM package installation mechanism prior to the August 21, 2025 security bulletin (GCP-2025-045).

Vulnerability Details

• Type: Path traversal (CWE-22) during NPM package installation
• Description: A crafted package.json could bypass path restrictions, enabling an attacker to read and write to other customers’ repositories.
• Exploitability: Remote, unauthenticated, no user interaction required
• Impact: High risk to confidentiality and integrity, with potential for unauthorized data access and tampering

Recommended Action

• No customer action required — Google has fully applied mitigations across all affected Dataform services as of the GCP-2025-045 bulletin.
• Customers should continue to:
  • Monitor repositories for unexpected changes
  • Stay up to date with Google Cloud security bulletins

Affected Environments

• Multi-tenant Google Cloud Dataform setups using NPM package installs
• Highest risk for organizations sharing repositories or infrastructure across tenants

TTP Mapping (MITRE ATT&CK)

• Initial Access / Execution: Path traversal via malicious package.json during NPM install (CWE-22)
• Impact: Unauthorized repository access leading to loss of confidentiality and integrity

References

• Google Cloud Security Bulletin GCP-2025-045
• Tenable CVE-2025-9118 Summary
• OffSeq Radar Analysis of CVE-2025-9118
• CVEDetails Entry for CVE-2025-9118

Disclaimer

This post summarizes publicly available information for cybersecurity awareness and remediation planning. No exploit code or sensitive operational details are provided.