| Título | ErlichLiu claude-agent-sdk-master Commit b185aa7ff0d864581257008077b4010fca1747bf Path Traversal |
|---|
| Descripción | A path traversal file read vulnerability (CWE-22) has been identified in the 04-agent-teams component of claude-agent-sdk-master, specifically within app/api/agent-output/route.ts. The /api/agent-output endpoint accepts a user-supplied outputFile value from the request body and passes it directly to fs.readFile after path normalization, without verifying that the path resides within a trusted agent output directory or application workspace. An attacker with network access to the exposed Next.js API can read arbitrary local files readable by the server process, potentially disclosing sensitive configuration files, credentials, or source code. Commit b185aa7ff0d864581257008077b4010fca1747bf is confirmed affected, and no fixed version is available at the time of reporting.
|
|---|
| Fuente | ⚠️ https://github.com/ErlichLiu/claude-agent-sdk-master/issues/5 |
|---|
| Usuario | BruceJin (UID 96538) |
|---|
| Sumisión | 2026-04-11 10:36 (hace 2 meses) |
|---|
| Moderación | 2026-04-27 19:05 (16 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 359844 [ErlichLiu claude-agent-sdk-master hasta b185aa7ff0d864581257008077b4010fca1747bf route.ts outputFile recorrido de directorios] |
|---|
| Puntos | 20 |
|---|