Submit #853104: zhayujie CowAgent <= 2.1.0 Improper Limitation of a Pathname to a Restricted Directory (CWE-22)info

Titelzhayujie CowAgent <= 2.1.0 Improper Limitation of a Pathname to a Restricted Directory (CWE-22)
Beschreibung# Technical Details A path traversal vulnerability exists in the cloud skill installation flow in `agent/skills/service.py` of CowAgent. The application accepts an attacker-controlled skill name from a LinkAI cloud `SKILL add` message and uses it directly when deriving the destination directory for package and URL-based skill installation. Traversal names such as `../escaped-target` can cause extracted skill content to be written outside the intended `<agent_workspace>/skills/` root. # Vulnerable Code File: `common/cloud_client.py` Method: `CloudClient.skill_service` Why: The service initializes `SkillService` with `custom_dir=os.path.join(workspace_root, "skills")`, establishing the intended install root. File: `common/cloud_client.py` Method: `CloudClient.on_skill` Why: The method forwards attacker-controlled cloud `action` and `payload` directly into `SkillService.dispatch()`. File: `agent/skills/service.py` Method: `_add_url` Why: The method derives `skill_dir = os.path.join(self.manager.custom_dir, name)` from attacker-controlled `name` without rejecting `.` / `..` or path separators. File: `agent/skills/service.py` Method: `_add_package` Why: The method joins `custom_dir` with attacker-controlled `name` and copies extracted ZIP contents into the unchecked resulting path with `shutil.copytree(extract_dir, skill_dir)`. # Reproduction 1. Run CowAgent `<= 2.1.0` with cloud skill management enabled. 2. Use a cloud-management principal able to send a `SKILL add` action. 3. Provide a package install payload with `name="../escaped-target"` and a valid ZIP package URL. 4. Observe that the install response reports success. 5. Confirm that `SKILL.md` is written to `<agent_workspace>/escaped-target/SKILL.md` instead of `<agent_workspace>/skills/...`. 6. Run a control with `name="safe-skill"` and confirm installation stays under `<agent_workspace>/skills/safe-skill/`. # Impact - Authenticated cloud-management attackers can write extracted package content outside the intended `skills/` root. - Workspace files in sibling directories may be overwritten or tampered with. - The issue can prepare follow-on abuse if adjacent directories are later consumed by other CowAgent components.
Quelle⚠️ https://github.com/zhayujie/CowAgent/issues/2873
Benutzer
 Eric-x (UID 94869)
Einreichung09.06.2026 16:46 (vor 1 Monat)
Moderieren09.07.2026 20:38 (1 month later)
StatusAkzeptiert
VulDB Eintrag377274 [zhayujie CowAgent bis 2.1.0 Skill Installation agent/skills/service.py _add_url/_add_package Name Directory Traversal]
Punkte20

Might our Artificial Intelligence support you?

Check our Alexa App!