thefuck is vulnerable to path traversal. Using “undo archive operation” feature allows deletion of arbitrary file outside of working directory.
github.com/nvbn/thefuck/commit/e343c577cd7da4d304b837d4a07ab4df1e023092
github.com/nvbn/thefuck/releases/tag/3.31
lists.fedoraproject.org/archives/list/[email protected]/message/4MEDDLBFVRUQHPYIBJ4MFM3M4NUJUXL5/
lists.fedoraproject.org/archives/list/[email protected]/message/YA6UNQSOY6M3NJDZLS6YJXTS4WGDMEEJ/
vuln.ryotak.me/advisories/48