PT-2026-6473 · Npm · Openclaw
Published
2026-02-04
·
Updated
2026-02-04
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Summary
The
isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel.Details
Location:
src/media/parse.ts:17-27The path validation accepts dangerous patterns:
typescript
function isValidMedia(candidate: string, opts?: { allowSpaces?: boolean }) {
if (candidate.startsWith("/")) return true; // ALLOWS /etc/passwd
if (candidate.startsWith("./")) return true;
if (candidate.startsWith("../")) return true; // ALLOWS ../../etc/passwd
if (candidate.startsWith("~")) return true; // ALLOWS ~/secrets
return false;
}No validation ensures the path is within a safe directory or is actually a media file.
PoC
Agent outputs any of:
MEDIA:/etc/passwd
MEDIA:~/.ssh/id rsa
MEDIA:~/.aws/credentials
MEDIA:../../../etc/passwdThe file contents are rendered/sent to the requesting user or channel.
Impact
- Read ANY file accessible to the agent user
- Exfiltrate SSH keys (
~/.ssh/id rsa) - Steal cloud credentials (
~/.aws/credentials) - Access API keys (
.env,config.json) - Read system files (
/etc/passwd,/etc/shadow)
Note: PR #4930 contains a fix but is NOT MERGED - production is vulnerable.
Fix
Information Disclosure
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw