CVE-2026-25475

Description

### Summary The `isValidMedia()` function in `src/media/parse.ts` allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting `MEDIA:/path/to/file`, exfiltrating sensitive data to the user/channel. ### Details **Location:** `src/media/parse.ts:17-27` The path validation accepts dangerous patterns: ```typescript function isValidMedia(candidate: string, opts?: { allowSpaces?: boolean }) { if (candidate.startsWith("/")) return true; // ALLOWS /etc/passwd if (candidate.startsWith("./")) return true; if (candidate.startsWith("../")) return true; // ALLOWS ../../etc/passwd if (candidate.startsWith("~")) return true; // ALLOWS ~/secrets return false; } ``` No validation ensures the path is within a safe directory or is actually a media file. ### PoC Agent outputs any of: ``` MEDIA:/etc/passwd MEDIA:~/.ssh/id_rsa MEDIA:~/.aws/credentials MEDIA:../../../etc/passwd ``` The file contents are rendered/sent to the requesting user or channel. ### Impact - Read ANY file accessible to the agent user - Exfiltrate SSH keys (`~/.ssh/id_rsa`) - Steal cloud credentials (`~/.aws/credentials`) - Access API keys (`.env`, `config.json`) - Read system files (`/etc/passwd`, `/etc/shadow`) **Note:** PR #4930 contains a fix but is NOT MERGED - production is vulnerable.

How to fix CVE-2026-25475

To remediate CVE-2026-25475, upgrade the affected package to a fixed version below.

—upgrade to 2026.1.30 or later

Is CVE-2026-25475 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2026.1.30

Description

How to fix CVE-2026-25475

Is CVE-2026-25475 being exploited?

Affected packages (1)

CVSS scores

References (3)