Gửi #853104: zhayujie CowAgent <= 2.1.0 Improper Limitation of a Pathname to a Restricted Directory (CWE-22)thông tin

tiêu đềzhayujie CowAgent <= 2.1.0 Improper Limitation of a Pathname to a Restricted Directory (CWE-22)
Mô tả# Technical Details A path traversal vulnerability exists in the cloud skill installation flow in `agent/skills/service.py` of CowAgent. The application accepts an attacker-controlled skill name from a LinkAI cloud `SKILL add` message and uses it directly when deriving the destination directory for package and URL-based skill installation. Traversal names such as `../escaped-target` can cause extracted skill content to be written outside the intended `<agent_workspace>/skills/` root. # Vulnerable Code File: `common/cloud_client.py` Method: `CloudClient.skill_service` Why: The service initializes `SkillService` with `custom_dir=os.path.join(workspace_root, "skills")`, establishing the intended install root. File: `common/cloud_client.py` Method: `CloudClient.on_skill` Why: The method forwards attacker-controlled cloud `action` and `payload` directly into `SkillService.dispatch()`. File: `agent/skills/service.py` Method: `_add_url` Why: The method derives `skill_dir = os.path.join(self.manager.custom_dir, name)` from attacker-controlled `name` without rejecting `.` / `..` or path separators. File: `agent/skills/service.py` Method: `_add_package` Why: The method joins `custom_dir` with attacker-controlled `name` and copies extracted ZIP contents into the unchecked resulting path with `shutil.copytree(extract_dir, skill_dir)`. # Reproduction 1. Run CowAgent `<= 2.1.0` with cloud skill management enabled. 2. Use a cloud-management principal able to send a `SKILL add` action. 3. Provide a package install payload with `name="../escaped-target"` and a valid ZIP package URL. 4. Observe that the install response reports success. 5. Confirm that `SKILL.md` is written to `<agent_workspace>/escaped-target/SKILL.md` instead of `<agent_workspace>/skills/...`. 6. Run a control with `name="safe-skill"` and confirm installation stays under `<agent_workspace>/skills/safe-skill/`. # Impact - Authenticated cloud-management attackers can write extracted package content outside the intended `skills/` root. - Workspace files in sibling directories may be overwritten or tampered with. - The issue can prepare follow-on abuse if adjacent directories are later consumed by other CowAgent components.
Nguồn⚠️ https://github.com/zhayujie/CowAgent/issues/2873
Người dùng
 Eric-x (UID 94869)
Đệ trình09/06/2026 16:46 (cách đây 1 tháng)
Kiểm duyệt09/07/2026 20:38 (1 month later)
Trạng tháiđược chấp nhận
Mục VulDB377274 [zhayujie CowAgent đến 2.1.0 Skill Installation agent/skills/service.py _add_url/_add_package Tên duyệt thư mục]
điểm20

Do you know our Splunk app?

Download it now for free!