PT-2026-53776 · Pypi · Everos
Publicado
2026-06-19
·
Atualizado
2026-06-19
CVSS v3.1
8.2
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L |
EverOS versions 1.0.0 and earlier are vulnerable to path traversal in the POST /api/v1/memory/add ingestion endpoint. The per-message sender id field was not validated as a path-safe identifier (unlike app id / project id, which already enforced this). During user-memory extraction, sender id is used as the owner id and joined into the filesystem path where the extracted episode is persisted as a Markdown file. A sender id containing ../ sequences could direct the write outside the configured memory root, allowing an unauthenticated caller to create or overwrite .md files at locations writable by the server process (unauthorized arbitrary file write). The file content is partially attacker-influenced.
Patch: Fixed in v1.0.1 with (1) path-safe validation on sender id (character whitelist plus rejection of the . and .. tokens) and (2) a defense-in-depth containment check in the Markdown writer that rejects any write resolving outside the memory root before any filesystem access, covering both the write and the append read-modify-write paths.
Remediation: Upgrade to EverOS 1.0.1. There is no workaround for affected versions other than upgrading.
Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Everos