GHSA-CFCJ-HQPF-HCCF

Vulnerability from github – Published: 2026-05-05 21:15 – Updated: 2026-05-05 21:15
VLAI?
Summary
@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE)
Details

Summary

The evolver fetch subcommand in index.js writes Hub-supplied bundled_files[] into a directory derived from a Hub-supplied skill_id. When --out is not used, the path-sanitizing regex permits . characters, allowing a skill_id of .. to escape the skills/ subdirectory and resolve to the user's current working directory. Combined with the file-extension allow-list (which includes .js/.json/.sh/.py/.md), this lets a malicious Hub overwrite the victim's index.js, package.json, or other files in cwd, achieving remote code execution on the next invocation of the evolver.

Details

The vulnerable code is in the fetch command handler:

// index.js:847-873
const data = await resp.json();
const outFlag = args.find(a => typeof a === 'string' && a.startsWith('--out='));
const safeId = String(data.skill_id || skillId).replace(/[^a-zA-Z0-9_\-\.]/g, '_');
let outDir;
if (outFlag) {
  const rawOut = outFlag.slice('--out='.length);
  // ...
  const resolvedOut = path.resolve(process.cwd(), rawOut);
  const cwd = path.resolve(process.cwd());
  const rel = path.relative(cwd, resolvedOut);
  if (rel.startsWith('..') || path.isAbsolute(rel)) {     // <-- traversal check exists for --out
    console.error('[fetch] --out= must resolve to a path inside the current working directory');
    process.exit(1);
  }
  outDir = resolvedOut;
} else {
  outDir = path.join('.', 'skills', safeId);              // <-- NO traversal check
}

if (!fs.existsSync(outDir)) fs.mkdirSync(outDir, { recursive: true });

Three problems compose:

  1. The regex allow-list permits .[^a-zA-Z0-9_\-\.] only strips characters outside this set, so the literal dot is preserved. A skill_id of .. (verified: '..'.replace(/[^a-zA-Z0-9_\-\.]/g,'_') === '..') survives sanitization.
  2. path.join collapses .. traversalpath.join('.', 'skills', '..') evaluates to '.' (the cwd), so outDir is now the user's working directory rather than ./skills/<id>.
  3. The traversal validation only runs in the --out branch — the default branch (the documented common case for evolver fetch --skill <id>) has no path.relative(...).startsWith('..') check.

The bundled-files write loop:

// index.js:881-906
const ALLOWED_SKILL_EXTENSIONS = new Set([
  '.js', '.mjs', '.cjs', '.ts', '.json', '.md', '.txt',
  '.sh', '.py', '.yml', '.yaml',
]);
// ...
for (const file of bundled) {
  if (!file || !file.name || typeof file.content !== 'string') continue;
  const safeName = path.basename(file.name);                       // basename of "index.js" is "index.js"
  const ext = path.extname(safeName).toLowerCase();
  if (!ALLOWED_SKILL_EXTENSIONS.has(ext)) { /* skip */ continue; }
  if (Buffer.byteLength(file.content, 'utf8') > MAX_SKILL_FILE_BYTES) { /* skip */ continue; }
  fs.writeFileSync(path.join(outDir, safeName), file.content, 'utf8');
}

path.basename strips directory components from the file name, but a basename of index.js is still index.js. The extension allow-list contains .js, so an attacker can write ./index.js (the evolver entry point itself), ./package.json, ./SKILL.md, etc.

There is no signature verification on the Hub response. buildHubHeaders() only authenticates the outgoing request; the response body is trusted as-is. The Hub stores skills uploaded by network participants, so any participant who can set a stored skill_id field to .. triggers this on every download.

PoC

Reproduces the exact code path from index.js:849-905:

cd /tmp && rm -rf evolver-poc-validate && mkdir evolver-poc-validate && \
  cp /path/to/EvoMap-evolver-src/index.js evolver-poc-validate/
cd evolver-poc-validate
wc -l index.js                                  # 1098 index.js (legitimate)

node -e "
const fs=require('fs'),path=require('path');
const data={
  skill_id:'..',
  content:'x',
  bundled_files:[{name:'index.js',content:'#!/usr/bin/env node\nconsole.log(\"PWNED\");'}]
};
const safeId=String(data.skill_id||'x').replace(/[^a-zA-Z0-9_\-\.]/g,'_');
const outDir=path.join('.','skills',safeId);
console.log('safeId:',JSON.stringify(safeId));   // '..'
console.log('outDir:',JSON.stringify(outDir));   // '.'
if(!fs.existsSync(outDir))fs.mkdirSync(outDir,{recursive:true});
for(const f of data.bundled_files){
  const n=path.basename(f.name);
  fs.writeFileSync(path.join(outDir,n),f.content);
}"

wc -l index.js                                  # 1 index.js  (clobbered)
head -3 index.js
# #!/usr/bin/env node
# console.log("PWNED");

Verified output: 1098 → 1 line; the legitimate evolver entry point is replaced with attacker-controlled JavaScript. Any subsequent node index.js <command> (including the --loop daemon mode that users run continuously) executes the attacker payload.

End-to-end attack: 1. Attacker uploads a skill to the A2A Hub whose stored skill_id is .. (or operates a malicious Hub / MitMs the connection / supplies a malicious A2A_HUB_URL). 2. The malicious response also carries bundled_files: [{name: 'index.js', content: '<attacker JS>'}]. 3. Victim runs node index.js fetch --skill=anything from the evolver checkout (the documented usage). 4. ./index.js is overwritten in place. 5. Victim's next node index.js invocation — even just node index.js --help or the run --loop daemon — executes attacker code with the victim's privileges.

Impact

  • Remote code execution in the victim's environment with the privileges of the evolver process. Because the loop daemon (node index.js run --loop) is the documented long-running mode, the malicious code typically gets executed within seconds of the next iteration.
  • Attacker can also overwrite package.json (allowed extension), SKILL.md, .env-adjacent .json/.yaml/.yml config files, and any whitelisted file already present in the cwd.
  • Trust boundary violation: evolver fetch is presented as a download operation; users would not expect it to overwrite the application binary or project files. The --out branch was hardened against exactly this; the default branch was missed.
  • A single malicious skill upload compromises every user that fetches it.

Recommended Fix

Reject safeId values that are not single non-traversing path segments before joining, or reuse the same path.relative check used in the --out branch. Minimal patch around index.js:849:

const safeId = String(data.skill_id || skillId).replace(/[^a-zA-Z0-9_\-\.]/g, '_');
if (
  safeId === '' ||
  safeId === '.' ||
  safeId === '..' ||
  safeId.includes('/') ||
  safeId.includes('\\') ||
  safeId.includes('\0')
) {
  console.error('[fetch] Hub returned an invalid skill_id: ' + JSON.stringify(safeId));
  process.exit(1);
}

Defense in depth — apply the existing traversal check to the default branch as well:

} else {
  const candidate = path.resolve(process.cwd(), 'skills', safeId);
  const skillsRoot = path.resolve(process.cwd(), 'skills');
  const rel = path.relative(skillsRoot, candidate);
  if (rel.startsWith('..') || path.isAbsolute(rel)) {
    console.error('[fetch] Hub returned a skill_id that escapes the skills/ directory');
    process.exit(1);
  }
  outDir = candidate;
}

Additionally, consider: - Removing . from the regex allow-list (skill IDs typically don't need dots). - Verifying a Hub-supplied signature over the response payload before writing any file to disk. - Disallowing bundled-file safeName values that match top-level project files (index.js, package.json, package-lock.json, etc.) regardless of outDir.

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.70.0-beta.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@evomap/evolver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.70.0-beta.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:15:09Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `evolver fetch` subcommand in `index.js` writes Hub-supplied `bundled_files[]` into a directory derived from a Hub-supplied `skill_id`. When `--out` is not used, the path-sanitizing regex permits `.` characters, allowing a `skill_id` of `..` to escape the `skills/` subdirectory and resolve to the user\u0027s current working directory. Combined with the file-extension allow-list (which includes `.js`/`.json`/`.sh`/`.py`/`.md`), this lets a malicious Hub overwrite the victim\u0027s `index.js`, `package.json`, or other files in cwd, achieving remote code execution on the next invocation of the evolver.\n\n## Details\n\nThe vulnerable code is in the `fetch` command handler:\n\n```js\n// index.js:847-873\nconst data = await resp.json();\nconst outFlag = args.find(a =\u003e typeof a === \u0027string\u0027 \u0026\u0026 a.startsWith(\u0027--out=\u0027));\nconst safeId = String(data.skill_id || skillId).replace(/[^a-zA-Z0-9_\\-\\.]/g, \u0027_\u0027);\nlet outDir;\nif (outFlag) {\n  const rawOut = outFlag.slice(\u0027--out=\u0027.length);\n  // ...\n  const resolvedOut = path.resolve(process.cwd(), rawOut);\n  const cwd = path.resolve(process.cwd());\n  const rel = path.relative(cwd, resolvedOut);\n  if (rel.startsWith(\u0027..\u0027) || path.isAbsolute(rel)) {     // \u003c-- traversal check exists for --out\n    console.error(\u0027[fetch] --out= must resolve to a path inside the current working directory\u0027);\n    process.exit(1);\n  }\n  outDir = resolvedOut;\n} else {\n  outDir = path.join(\u0027.\u0027, \u0027skills\u0027, safeId);              // \u003c-- NO traversal check\n}\n\nif (!fs.existsSync(outDir)) fs.mkdirSync(outDir, { recursive: true });\n```\n\nThree problems compose:\n\n1. **The regex allow-list permits `.`** \u2014 `[^a-zA-Z0-9_\\-\\.]` only strips characters *outside* this set, so the literal dot is preserved. A `skill_id` of `..` (verified: `\u0027..\u0027.replace(/[^a-zA-Z0-9_\\-\\.]/g,\u0027_\u0027) === \u0027..\u0027`) survives sanitization.\n2. **`path.join` collapses `..` traversal** \u2014 `path.join(\u0027.\u0027, \u0027skills\u0027, \u0027..\u0027)` evaluates to `\u0027.\u0027` (the cwd), so `outDir` is now the user\u0027s working directory rather than `./skills/\u003cid\u003e`.\n3. **The traversal validation only runs in the `--out` branch** \u2014 the default branch (the documented common case for `evolver fetch --skill \u003cid\u003e`) has no `path.relative(...).startsWith(\u0027..\u0027)` check.\n\nThe bundled-files write loop:\n\n```js\n// index.js:881-906\nconst ALLOWED_SKILL_EXTENSIONS = new Set([\n  \u0027.js\u0027, \u0027.mjs\u0027, \u0027.cjs\u0027, \u0027.ts\u0027, \u0027.json\u0027, \u0027.md\u0027, \u0027.txt\u0027,\n  \u0027.sh\u0027, \u0027.py\u0027, \u0027.yml\u0027, \u0027.yaml\u0027,\n]);\n// ...\nfor (const file of bundled) {\n  if (!file || !file.name || typeof file.content !== \u0027string\u0027) continue;\n  const safeName = path.basename(file.name);                       // basename of \"index.js\" is \"index.js\"\n  const ext = path.extname(safeName).toLowerCase();\n  if (!ALLOWED_SKILL_EXTENSIONS.has(ext)) { /* skip */ continue; }\n  if (Buffer.byteLength(file.content, \u0027utf8\u0027) \u003e MAX_SKILL_FILE_BYTES) { /* skip */ continue; }\n  fs.writeFileSync(path.join(outDir, safeName), file.content, \u0027utf8\u0027);\n}\n```\n\n`path.basename` strips directory components from the *file name*, but a basename of `index.js` is still `index.js`. The extension allow-list contains `.js`, so an attacker can write `./index.js` (the evolver entry point itself), `./package.json`, `./SKILL.md`, etc.\n\nThere is no signature verification on the Hub response. `buildHubHeaders()` only authenticates the *outgoing* request; the response body is trusted as-is. The Hub stores skills uploaded by network participants, so any participant who can set a stored `skill_id` field to `..` triggers this on every download.\n\n## PoC\n\nReproduces the exact code path from `index.js:849-905`:\n\n```bash\ncd /tmp \u0026\u0026 rm -rf evolver-poc-validate \u0026\u0026 mkdir evolver-poc-validate \u0026\u0026 \\\n  cp /path/to/EvoMap-evolver-src/index.js evolver-poc-validate/\ncd evolver-poc-validate\nwc -l index.js                                  # 1098 index.js (legitimate)\n\nnode -e \"\nconst fs=require(\u0027fs\u0027),path=require(\u0027path\u0027);\nconst data={\n  skill_id:\u0027..\u0027,\n  content:\u0027x\u0027,\n  bundled_files:[{name:\u0027index.js\u0027,content:\u0027#!/usr/bin/env node\\nconsole.log(\\\"PWNED\\\");\u0027}]\n};\nconst safeId=String(data.skill_id||\u0027x\u0027).replace(/[^a-zA-Z0-9_\\-\\.]/g,\u0027_\u0027);\nconst outDir=path.join(\u0027.\u0027,\u0027skills\u0027,safeId);\nconsole.log(\u0027safeId:\u0027,JSON.stringify(safeId));   // \u0027..\u0027\nconsole.log(\u0027outDir:\u0027,JSON.stringify(outDir));   // \u0027.\u0027\nif(!fs.existsSync(outDir))fs.mkdirSync(outDir,{recursive:true});\nfor(const f of data.bundled_files){\n  const n=path.basename(f.name);\n  fs.writeFileSync(path.join(outDir,n),f.content);\n}\"\n\nwc -l index.js                                  # 1 index.js  (clobbered)\nhead -3 index.js\n# #!/usr/bin/env node\n# console.log(\"PWNED\");\n```\n\nVerified output: 1098 \u2192 1 line; the legitimate evolver entry point is replaced with attacker-controlled JavaScript. Any subsequent `node index.js \u003ccommand\u003e` (including the `--loop` daemon mode that users run continuously) executes the attacker payload.\n\nEnd-to-end attack:\n1. Attacker uploads a skill to the A2A Hub whose stored `skill_id` is `..` (or operates a malicious Hub / MitMs the connection / supplies a malicious `A2A_HUB_URL`).\n2. The malicious response also carries `bundled_files: [{name: \u0027index.js\u0027, content: \u0027\u003cattacker JS\u003e\u0027}]`.\n3. Victim runs `node index.js fetch --skill=anything` from the evolver checkout (the documented usage).\n4. `./index.js` is overwritten in place.\n5. Victim\u0027s next `node index.js` invocation \u2014 even just `node index.js --help` or the `run --loop` daemon \u2014 executes attacker code with the victim\u0027s privileges.\n\n## Impact\n\n- **Remote code execution** in the victim\u0027s environment with the privileges of the evolver process. Because the loop daemon (`node index.js run --loop`) is the documented long-running mode, the malicious code typically gets executed within seconds of the next iteration.\n- Attacker can also overwrite `package.json` (allowed extension), `SKILL.md`, `.env`-adjacent `.json`/`.yaml`/`.yml` config files, and any whitelisted file already present in the cwd.\n- Trust boundary violation: `evolver fetch` is presented as a *download* operation; users would not expect it to overwrite the application binary or project files. The `--out` branch was hardened against exactly this; the default branch was missed.\n- A single malicious skill upload compromises every user that fetches it.\n\n## Recommended Fix\n\nReject `safeId` values that are not single non-traversing path segments before joining, or reuse the same `path.relative` check used in the `--out` branch. Minimal patch around `index.js:849`:\n\n```js\nconst safeId = String(data.skill_id || skillId).replace(/[^a-zA-Z0-9_\\-\\.]/g, \u0027_\u0027);\nif (\n  safeId === \u0027\u0027 ||\n  safeId === \u0027.\u0027 ||\n  safeId === \u0027..\u0027 ||\n  safeId.includes(\u0027/\u0027) ||\n  safeId.includes(\u0027\\\\\u0027) ||\n  safeId.includes(\u0027\\0\u0027)\n) {\n  console.error(\u0027[fetch] Hub returned an invalid skill_id: \u0027 + JSON.stringify(safeId));\n  process.exit(1);\n}\n```\n\nDefense in depth \u2014 apply the existing traversal check to the default branch as well:\n\n```js\n} else {\n  const candidate = path.resolve(process.cwd(), \u0027skills\u0027, safeId);\n  const skillsRoot = path.resolve(process.cwd(), \u0027skills\u0027);\n  const rel = path.relative(skillsRoot, candidate);\n  if (rel.startsWith(\u0027..\u0027) || path.isAbsolute(rel)) {\n    console.error(\u0027[fetch] Hub returned a skill_id that escapes the skills/ directory\u0027);\n    process.exit(1);\n  }\n  outDir = candidate;\n}\n```\n\nAdditionally, consider:\n- Removing `.` from the regex allow-list (skill IDs typically don\u0027t need dots).\n- Verifying a Hub-supplied signature over the response payload before writing any file to disk.\n- Disallowing bundled-file `safeName` values that match top-level project files (`index.js`, `package.json`, `package-lock.json`, etc.) regardless of `outDir`.",
  "id": "GHSA-cfcj-hqpf-hccf",
  "modified": "2026-05-05T21:15:09Z",
  "published": "2026-05-05T21:15:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-cfcj-hqpf-hccf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EvoMap/evolver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.