opam 2.5.2 releaseOn , by
Feedback on this post is welcomed on Discuss!
We are pleased to announce the release of opam 2.5.2 fixing a security issue (OSEC-2026-10) and other minor things.
We advise everyone to upgrade. Please read on for installation and upgrade instructions.
Security fix
- OSEC-2026-10 / CVE-2026-57825: Fix a bug that allowed a package to install files anywhere on the system using a symlink to an external directory without warning the user and asking for their permission (#7005)
Distributions maintainers that have not already done so, are invited to either upgrade their opam package to 2.5.2 or backport the fix. For any questions please send an email to the authors of this here blog post as listed above.
Other changes
- Re-allow
..in.installfiles, partially reverting 2.5.1's #6898 (#7009, ocaml/dune#14393)
Try it!
The upgrade instructions are unchanged:
- Either from binaries: run
For Unix systems
bash -c "sh <(curl -fsSL https://opam.ocaml.org/install.sh) --version 2.5.2"or from PowerShell for Windows systems
Invoke-Expression "& { $(Invoke-RestMethod https://opam.ocaml.org/install.ps1) } -Version 2.5.2"or download manually from the Github "Releases" page to your PATH.
- Or from source, manually: see the instructions in the README.
You should then run:
opam init --reinit -ni
Please report any issues to the bug-tracker.
Happy hacking!


