| tiêu đề | DV0x creative-ad-agent Commit751b9e5146604dc65049bd0f62dcbdad6212f8a3 Path Traversal |
|---|
| Mô tả | A path traversal vulnerability (CWE-22) has been identified in the Creative Ad Agent SDK server, specifically within server/sdk-server.ts. The /images/:sessionId?/:filename endpoint accepts user-controlled route parameters and constructs a filesystem path without validating that the resolved path remains inside the intended generated-images directory. An attacker with network access to the server can supply encoded traversal sequences (e.g., %2e%2e/) to read arbitrary files accessible to the server process, including repository files or host system files such as /etc/hosts. Commit 751b9e5146604dc65049bd0f62dcbdad6212f8a3 is confirmed affected, and no fixed version is available at the time of reporting.
|
|---|
| Nguồn | ⚠️ https://github.com/DV0x/creative-ad-agent/issues/1 |
|---|
| Người dùng | BruceJin (UID 96538) |
|---|
| Đệ trình | 11/04/2026 18:17 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 28/04/2026 07:41 (17 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 359926 [DV0x creative-ad-agent đến 751b9e5146604dc65049bd0f62dcbdad6212f8a3 creative-ad-agent-server server/sdk-server.ts req.params duyệt thư mục] |
|---|
| điểm | 20 |
|---|