| Titel | 8421bit MiniClaw 0 Path Traversal |
|---|
| Beschreibung | The executeSkillScript function is vulnerable to Path Traversal (CWE-22).
The function constructs the script path using unsanitized user-controlled inputs (skillName, scriptFile) with path.join(), without validating that the final path stays within the allowed SKILLS_DIR directory. Attackers can use ../ sequences to access arbitrary files on the server filesystem.
More details: https://github.com/8421bit/MiniClaw/issues/5 |
|---|
| Quelle | ⚠️ https://github.com/8421bit/MiniClaw/issues/5 |
|---|
| Benutzer | ybdesire (UID 83239) |
|---|
| Einreichung | 20.04.2026 12:54 (vor 1 Monat) |
|---|
| Moderieren | 07.05.2026 18:33 (17 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 361901 [8421bit MiniClaw bis 43905b934cf76489ab28e4d17da28ee97970f91f executeSkillScript src/kernel.ts isPathInside Directory Traversal] |
|---|
| Punkte | 20 |
|---|