CVE-2025-9118

GHSA-3cpq-gx29-gw6m

A path traversal vulnerability in the NPM package installation process of Google Cloud Dataform allows a remote attacker to read and write files in other customers' repositories via a maliciously crafted package.json file.