js · network-aiCritical
network-ai: Arbitrary file deletion via backup manifest path (CVE-2024-XXXXX)
EnvironmentManager.listBackups() trusts the 'path' field in backup manifests, and EnvironmentManager.pruneBackups() passes that path directly to rmSync(), allow
What changed
EnvironmentManager.listBackups() trusts the 'path' field in backup manifests, and EnvironmentManager.pruneBackups() passes that path directly to rmSync(), allowing arbitrary file deletion. Fixed in v5.12.2 by recomputing the deletion path from a validated backupId and adding containment checks.
Who it affects
Users of network-ai versions prior to 5.12.2 who run backup pruning (e.g., 'network-ai env backup prune') and have an attacker with write access to the data directory.
What to do today
Upgrade to [email protected] immediately via 'npm install [email protected]'.
The trail
Collected→
Audited→
Written→
Published