js · network-aiHeads-up
network-ai: Symlink traversal in EnvironmentManager.backup()
EnvironmentManager.backup() follows symlinks when collecting backup files, allowing an attacker who can place a symlink under the environment data directory to
What changed
EnvironmentManager.backup() follows symlinks when collecting backup files, allowing an attacker who can place a symlink under the environment data directory to copy arbitrary readable files from outside the environment root into backup artifacts.
Who it affects
Users of Network-AI 5.12.1 and earlier who use backup, promote, or restore operations, especially those where untrusted users can create symlinks in data/<env>.
What to do today
Upgrade to [email protected] immediately using npm install [email protected].
The trail
Collected→
Audited→
Written→
Published