| タイトル | ErlichLiu claude-agent-sdk-master Commit b185aa7ff0d864581257008077b4010fca1747bf Path Traversal |
|---|
| 説明 | A path traversal file read vulnerability (CWE-22) has been identified in the 04-agent-teams component of claude-agent-sdk-master, specifically within app/api/agent-output/route.ts. The /api/agent-output endpoint accepts a user-supplied outputFile value from the request body and passes it directly to fs.readFile after path normalization, without verifying that the path resides within a trusted agent output directory or application workspace. An attacker with network access to the exposed Next.js API can read arbitrary local files readable by the server process, potentially disclosing sensitive configuration files, credentials, or source code. Commit b185aa7ff0d864581257008077b4010fca1747bf is confirmed affected, and no fixed version is available at the time of reporting.
|
|---|
| ソース | ⚠️ https://github.com/ErlichLiu/claude-agent-sdk-master/issues/5 |
|---|
| ユーザー | BruceJin (UID 96538) |
|---|
| 送信 | 2026年04月11日 10:36 (2 月 ago) |
|---|
| モデレーション | 2026年04月27日 19:05 (16 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 359844 [ErlichLiu claude-agent-sdk-master 迄 b185aa7ff0d864581257008077b4010fca1747bf route.ts outputFile ディレクトリトラバーサル] |
|---|
| ポイント | 20 |
|---|