Mako Template Engine Path Traversal Vulnerability Exposed in GitHub Security Advisory GHSA-v92g-xgxw-vvmm

A critical path traversal vulnerability has been disclosed in the widely-used Mako templating engine for Python, tracked as GHSA-v92g-xgxw-vvmm. The flaw resides in the `TemplateLookup.get_template()` function, which fails to properly sanitize user-supplied template URIs. Specifically, an attacker can exploit an inconsistency in how leading slashes are stripped between two core components: `Template.__init__` removes only one leading slash, while `TemplateLookup.get_template()` strips all leading slashes. This discrepancy allows malicious URIs starting with `//` (e.g., `//../../../secret.txt`) to bypass intended directory restrictions and access arbitrary files on the server's filesystem.

The vulnerability, now patched in Mako version 1.3.11, poses a direct threat to any Python web application or service that uses Mako templates with the `TemplateLookup` class to load templates from the filesystem. The security advisory was published by the project maintainers via GitHub, prompting immediate updates across dependency management systems. The flaw's discovery has triggered automated security alerts and pull requests in countless repositories, as tools like RenovateBot flag the dependency for mandatory upgrading from vulnerable versions like 1.2.4.

This incident underscores the persistent risk of logic flaws in foundational open-source libraries and the cascading security debt they create. While the patch is available, the real-world impact depends on the speed of adoption across the ecosystem. Organizations relying on Mako must treat this as a high-priority update to prevent potential server-side file disclosure, which could lead to credential leaks, source code exposure, or further system compromise. The fix corrects the slash-stripping logic to ensure consistent and secure path resolution.