js · network-aiHeads-up

Network-AI: Path Traversal in EnvironmentManager.restore()

EnvironmentManager.restore() in Network-AI before 5.12.2 does not validate backupId, allowing path traversal to copy arbitrary directories into data/<env>.

20 Jun 2026Read 1 minSeverity: schedule it

What changed

EnvironmentManager.restore() in Network-AI before 5.12.2 does not validate backupId, allowing path traversal to copy arbitrary directories into data/<env>.

Who it affects

Users of Network-AI <=5.12.1 who expose the backup restore functionality (e.g., via CLI).

What to do today

Upgrade to [email protected] or later immediately.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · network-ai

Network-AI: Path Traversal in EnvironmentManager.restore()

What changed

Who it affects

What to do today

More on network-ai

@openzeppelin/wizard: Arbitrary code injection via info.securityContact and info.license fields

TypeORM Blind SQL Injection in UpdateQueryBuilder and SoftDeleteQueryBuilder (MySQL/MariaDB)