| tiêu đề | ErlichLiu claude-agent-sdk-master Commit b185aa7ff0d864581257008077b4010fca1747bf Path Traversal |
|---|
| Mô tả | A path traversal file read vulnerability (CWE-22) has been identified in the 04-agent-teams component of claude-agent-sdk-master, specifically within app/api/agent-output/route.ts. The /api/agent-output endpoint accepts a user-supplied outputFile value from the request body and passes it directly to fs.readFile after path normalization, without verifying that the path resides within a trusted agent output directory or application workspace. An attacker with network access to the exposed Next.js API can read arbitrary local files readable by the server process, potentially disclosing sensitive configuration files, credentials, or source code. Commit b185aa7ff0d864581257008077b4010fca1747bf is confirmed affected, and no fixed version is available at the time of reporting.
|
|---|
| Nguồn | ⚠️ https://github.com/ErlichLiu/claude-agent-sdk-master/issues/5 |
|---|
| Người dùng | BruceJin (UID 96538) |
|---|
| Đệ trình | 11/04/2026 10:36 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 27/04/2026 19:05 (16 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 359844 [ErlichLiu claude-agent-sdk-master đến b185aa7ff0d864581257008077b4010fca1747bf route.ts outputFile duyệt thư mục] |
|---|
| điểm | 20 |
|---|