GHSA-JVCM-F35G-W78P is a medium-severity path traversal vulnerability in network-ai (npm), affecting versions <= 5.12.1. It is fixed in 5.12.2.
Summary AgentRuntime promises scoped file access under a configured sandbox basePath, but its path containment checks use raw string prefix tests. A sandbox base such as /tmp/network-ai-sandbox also matches a sibling path such as /tmp/network-ai-sandboxevil/secret.txt. An agent/user that can call AgentRuntime.readFile() or AgentRuntime.listDir() can read or list files outside the intended sandbox when the target path is in a sibling directory sharing the base path prefix. This breaks the documented sandbox boundary. Confirmed in Network-AI 5.12.1. Severity: Medium, CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. Details The vulnerable containment check is in lib/agent-runtime.ts: startsWith() is not path-boundary-aware. If this.config.basePath is /tmp/network-ai-sandbox, then /tmp/network-ai-sandboxevil/secret.txt also starts with /tmp/network-ai-sandbox despite being outside the sandbox. The same pattern appears in SandboxPolicy.isPathAllowed() for allowed and blocked paths. FileAccessor.read(), FileAccessor.write(), and FileAccessor.list() rely on these checks before I/O, and AgentRuntime.readFile() exposes this behavior. Reads auto-approve by default when autoApproveReads is enabled. Affected source evidence: lib/agent-runtime.ts:393-423, isPathAllowed() / resolvePath() use string startsWith() containment. lib/agent-runtime.ts:669-691, file read sink relies on those checks. lib/agent-runtime.ts:933-958, AgentRuntime.readFile() exposes file reads. PoC Run from the repository root after installing dependencies: Observed result: both reads succeed and return SECRETOUTSIDESANDBOX, even though the file is outside basePath. Impact An agent/user with access to AgentRuntime file operations can bypass the intended sandbox root and read or list files outside the sandbox when those files are located in sibling paths sharing the sandbox base path prefix. This is a sandbox boundary bypass and path traversal vulnerability. Default confirmed impact is read/list disclosure. If an embedding application uses FileAccessor.write() directly or auto-approves runtime writes, the same root cause may allow writes outside the intended sandbox to prefix-collision sibling paths. No RCE chain was confirmed. Resolution (maintainer) Fixed in v5.12.2 (commit a59c13a). Install: npm install [email protected], published to npm with provenance. SandboxPolicy.resolvePath() and isPathAllowed() now use separator-anchored prefix checks (resolved === base || resolved.startsWith(base + path.sep)) for both the allow-list and block-list. A sibling directory that merely shares a name prefix (e.g. /srv/app-evil vs base /srv/app) is no longer treated as in-scope. All 3,269 tests pass against the patched build. Thanks to @sondt99 for the responsible disclosure.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
GHSA-JVCM-F35G-W78P has a CVSS score of 6.5 (Medium). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (5.12.2). Upgrading removes the vulnerable code path.
npm
network-ai (<= 5.12.1)network-ai → 5.12.2 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether GHSA-JVCM-F35G-W78P is reachable in your applications. Explore open-source security for your team.
See if GHSA-JVCM-F35G-W78P is reachable in your applications. Get a demo
Already deployed Kodem? See GHSA-JVCM-F35G-W78P in your environment →Upgrade network-ai to 5.12.2 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
GHSA-JVCM-F35G-W78P is a medium-severity path traversal vulnerability in network-ai (npm), affecting versions <= 5.12.1. It is fixed in 5.12.2. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
GHSA-JVCM-F35G-W78P has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
network-ai (npm) versions <= 5.12.1 is affected.
Yes. GHSA-JVCM-F35G-W78P is fixed in 5.12.2. Upgrade to this version or later.
Whether GHSA-JVCM-F35G-W78P is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade network-ai to 5.12.2 or later.