<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Prompty (PyPI) &lt;= 2.0.0b1 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/prompty-pypi--2.0.0b1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 19:47:13 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/prompty-pypi--2.0.0b1/feed.xml" rel="self" type="application/rss+xml"/><item><title>Prompty Arbitrary File Read Vulnerability via File Reference Expansion (CVE-2026-53598)</title><link>https://feed.craftedsignal.io/briefs/2026-07-prompty-arbitrary-file-read/</link><pubDate>Fri, 17 Jul 2026 19:47:13 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-prompty-arbitrary-file-read/</guid><description>A path traversal vulnerability, CVE-2026-53598, in Prompty loaders allows an attacker-controlled `.prompty` file to read arbitrary files accessible to the host application process due to improper validation of `${file:...}` references in frontmatter, leading to sensitive local file disclosure.</description><content:encoded><![CDATA[<p>CVE-2026-53598 describes an arbitrary file read vulnerability affecting Prompty libraries across multiple ecosystems, including PyPI <code>prompty</code> (versions <code>&lt;= 2.0.0b1</code>), npm <code>@prompty/core</code> (versions <code>&lt;= 2.0.0-beta.1</code>), crates.io <code>prompty</code> (versions <code>&lt;= 2.0.0-beta.1</code>), and NuGet <code>Prompty.Core</code> (versions <code>&lt;= 2.0.0-beta.1</code>). This flaw stems from improper validation of <code>${file:...}</code> references within <code>.prompty</code> frontmatter, allowing path traversal (<code>../</code>) or absolute paths to read files outside the intended directory. Threat actors could exploit this by providing a specially crafted <code>.prompty</code> file to a vulnerable application, leading to the disclosure of sensitive local files accessible to the application's process. The vulnerability was patched in versions <code>2.0.0b2</code> and <code>2.0.0-beta.2</code>, which enforce stricter path restrictions and canonicalization.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious <code>.prompty</code> file containing a <code>${file:...}</code> reference with a path traversal sequence (e.g., <code>${file:../etc/passwd}</code>) or an absolute path (e.g., <code>${file:/etc/shadow}</code>) in its frontmatter.</li>
<li>The attacker delivers this malicious <code>.prompty</code> file to a vulnerable application or convinces a victim to load it, targeting applications using PyPI <code>prompty</code> (&lt;= 2.0.0b1), npm <code>@prompty/core</code> (&lt;= 2.0.0-beta.1), crates.io <code>prompty</code> (&lt;= 2.0.0-beta.1), or NuGet <code>Prompty.Core</code> (&lt;= 2.0.0-beta.1).</li>
<li>The vulnerable application loads the untrusted <code>.prompty</code> file, which includes the frontmatter containing the crafted file reference.</li>
<li>The Prompty loader attempts to expand the <code>${file:...}</code> reference during processing without properly validating the resolved path against authorized directories or canonicalizing it.</li>
<li>The Prompty library's internal logic resolves the path traversal or absolute path, causing the application to read the arbitrary file from the host system.</li>
<li>The content of the sensitive file (e.g., <code>/etc/passwd</code>, <code>/etc/shadow</code>, configuration files) is then processed by the application.</li>
<li>The application may log the content, include it in a response, or otherwise expose it, allowing the attacker to receive or extract the contents of the arbitrary file.</li>
<li>The attacker achieves sensitive information disclosure, obtaining unauthorized access to local system files.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Applications that process untrusted <code>.prompty</code> files are at severe risk of arbitrary file disclosure due to CVE-2026-53598. Successful exploitation could lead to attackers reading any file accessible to the vulnerable application's process, including critical configuration files, user credentials, application source code, or sensitive private data. While no specific victim counts are provided, any organization utilizing affected Prompty versions in environments that parse external or user-provided prompt files is vulnerable to significant information theft. The potential damage includes intellectual property loss, system compromise through leaked credentials, and privacy breaches if personal data is exposed.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade all PyPI <code>prompty</code> installations to version <code>2.0.0b2</code> or higher immediately to remediate CVE-2026-53598.</li>
<li>Upgrade all npm <code>@prompty/core</code> installations to <code>2.0.0-beta.2</code> or higher immediately to remediate CVE-2026-53598.</li>
<li>Upgrade all crates.io <code>prompty</code> installations to <code>2.0.0-beta.2</code> or higher immediately to remediate CVE-2026-53598.</li>
<li>Upgrade all NuGet <code>Prompty.Core</code> installations to <code>2.0.0-beta.2</code> or higher immediately to remediate CVE-2026-53598.</li>
<li>Review application logs for CVE-2026-53598 exploitation attempts, specifically looking for <code>prompty</code> library operations attempting to access files outside expected asset directories.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>arbitrary-file-read</category><category>path-traversal</category><category>code-execution</category><category>prompty</category></item></channel></rss>