| عنوان | ErlichLiu claude-agent-sdk-master Commit b185aa7ff0d864581257008077b4010fca1747bf Path Traversal |
|---|
| الوصف | A path traversal file read vulnerability (CWE-22) has been identified in the 04-agent-teams component of claude-agent-sdk-master, specifically within app/api/agent-output/route.ts. The /api/agent-output endpoint accepts a user-supplied outputFile value from the request body and passes it directly to fs.readFile after path normalization, without verifying that the path resides within a trusted agent output directory or application workspace. An attacker with network access to the exposed Next.js API can read arbitrary local files readable by the server process, potentially disclosing sensitive configuration files, credentials, or source code. Commit b185aa7ff0d864581257008077b4010fca1747bf is confirmed affected, and no fixed version is available at the time of reporting.
|
|---|
| المصدر | ⚠️ https://github.com/ErlichLiu/claude-agent-sdk-master/issues/5 |
|---|
| المستخدم | BruceJin (UID 96538) |
|---|
| ارسال | 11/04/2026 10:36 AM (2 أشهر منذ) |
|---|
| الاعتدال | 27/04/2026 07:05 PM (16 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 359844 [ErlichLiu claude-agent-sdk-master حتى b185aa7ff0d864581257008077b4010fca1747bf route.ts outputFile اجتياز الدليل] |
|---|
| النقاط | 20 |
|---|