{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/arbitrary-file-write/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["zarf","path-traversal","arbitrary-file-write","package-inspection","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eZarf, a tool for air-gapped deployments, is susceptible to a path traversal vulnerability (CVE-2026-40090) affecting versions prior to v0.74.2. The vulnerability stems from inadequate sanitization of the \u003ccode\u003eMetadata.Name\u003c/code\u003e field within Zarf package manifests. When a user employs the \u003ccode\u003ezarf package inspect sbom\u003c/code\u003e or \u003ccode\u003ezarf package inspect documentation\u003c/code\u003e commands on an untrusted package, the tool constructs output file paths by concatenating a user-controlled output directory with the package\u0026rsquo;s \u003ccode\u003eMetadata.Name\u003c/code\u003e field. A malicious actor can craft a Zarf package with a manipulated \u003ccode\u003eMetadata.Name\u003c/code\u003e containing path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e), enabling arbitrary file write capabilities within the permissions of the user running the \u003ccode\u003einspect\u003c/code\u003e command. This vulnerability allows attackers to write to locations they control, potentially leading to privilege escalation or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Zarf package.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003ezarf.yaml\u003c/code\u003e manifest within the package to include a \u003ccode\u003eMetadata.Name\u003c/code\u003e field containing path traversal sequences (e.g., \u003ccode\u003e../../../../tmp/evil\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker repacks the Zarf package, recalculating checksums if necessary.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious Zarf package.\u003c/li\u003e\n\u003cli\u003eA victim user downloads the malicious Zarf package.\u003c/li\u003e\n\u003cli\u003eThe victim executes \u003ccode\u003ezarf package inspect sbom --output-dir /tmp \u0026lt;malicious-package.tar.zst\u0026gt;\u003c/code\u003e or \u003ccode\u003ezarf package inspect documentation --output-dir /tmp \u0026lt;malicious-package.tar.zst\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eZarf extracts the \u003ccode\u003eMetadata.Name\u003c/code\u003e from the \u003ccode\u003ezarf.yaml\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eZarf constructs an output path by joining the user-specified output directory (/tmp) with the malicious \u003ccode\u003eMetadata.Name\u003c/code\u003e (\u003ccode\u003e../../../../tmp/evil\u003c/code\u003e), resulting in \u003ccode\u003e/tmp/../../../../tmp/evil\u003c/code\u003e. The tool attempts to write the SBOM or documentation data to this path, resulting in writing the file to \u003ccode\u003e/tmp/evil\u003c/code\u003e. This allows attackers to write files such as SSH authorized keys, cron jobs, or shell profiles.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files to the file system, limited by the permissions of the user running the \u003ccode\u003ezarf package inspect\u003c/code\u003e command. This can lead to several critical consequences: privilege escalation by writing to authorized_keys files, arbitrary code execution by writing cron jobs, or persistent compromise by writing to shell profiles. This vulnerability affects users running the \u003ccode\u003ezarf package inspect sbom\u003c/code\u003e or \u003ccode\u003ezarf package inspect documentation\u003c/code\u003e command on untrusted packages. The affected packages are go/github.com/zarf-dev/zarf versions \u0026gt;= 0.23.0 and \u0026lt; 0.74.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Zarf to version v0.74.2 or later to patch CVE-2026-40090.\u003c/li\u003e\n\u003cli\u003eAvoid inspecting unsigned Zarf packages as a workaround until the upgrade is complete, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Zarf Package Inspection with Path Traversal\u0026rdquo; to identify attempts to exploit this vulnerability via command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in sensitive directories (e.g., \u003ccode\u003e/home/$USER/.ssh\u003c/code\u003e, \u003ccode\u003e/etc/cron.d\u003c/code\u003e) for files created by the zarf binary using the \u0026ldquo;Detect Zarf Arbitrary File Write\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-15-zarf-path-traversal/","summary":"Zarf is vulnerable to path traversal due to insufficient sanitization of the Metadata.Name field in package manifests when using the `zarf package inspect sbom` or `zarf package inspect documentation` commands, potentially leading to arbitrary file write.","title":"Zarf Path Traversal Vulnerability via Malicious Package Metadata.Name","url":"https://feed.craftedsignal.io/briefs/2026-04-15-zarf-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","graphql","tinacms","arbitrary-file-write"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in versions 2.2.1 and earlier of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e, a GraphQL API for TinaCMS. This flaw enables unauthenticated attackers to write and overwrite arbitrary files within the project root directory. The vulnerability stems from insufficient validation of the \u003ccode\u003erelativePath\u003c/code\u003e parameter within GraphQL mutations. By exploiting this weakness, attackers can overwrite critical server configuration files like \u003ccode\u003epackage.json\u003c/code\u003e and \u003ccode\u003etsconfig.json\u003c/code\u003e, inject malicious scripts into the \u003ccode\u003epublic/\u003c/code\u003e directory, and even achieve arbitrary code execution by modifying build scripts or server-side logic files. This vulnerability poses a significant risk to systems utilizing vulnerable versions of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a TinaCMS instance running a vulnerable version of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e (\u0026lt;= 2.2.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GraphQL mutation request targeting the \u003ccode\u003eupdateDocument\u003c/code\u003e mutation.\u003c/li\u003e\n\u003cli\u003eWithin the mutation, the attacker manipulates the \u003ccode\u003erelativePath\u003c/code\u003e parameter to include a path traversal sequence, such as \u003ccode\u003ex\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\package.json\u003c/code\u003e. The backslashes are misinterpreted on non-Windows systems.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003egetValidatedPath\u003c/code\u003e function fails to properly sanitize the malicious path due to the backslash bypass on non-Windows platforms.\u003c/li\u003e\n\u003cli\u003eThe request is processed, and the server attempts to write to the attacker-specified file path.\u003c/li\u003e\n\u003cli\u003eThe file system API resolves the path traversal sequence, leading to a write operation outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites a critical file, such as \u003ccode\u003epackage.json\u003c/code\u003e, with malicious content.\u003c/li\u003e\n\u003cli\u003eThe server or build process executes the modified file, resulting in arbitrary code execution or other malicious behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to perform arbitrary file writes, leading to several critical consequences. Attackers can overwrite server configuration files, inject malicious scripts for client-side attacks, and achieve arbitrary code execution by modifying build scripts or server-side logic. The impact ranges from denial of service to complete system compromise. While the exact number of affected systems is unknown, all TinaCMS instances running \u003ccode\u003e@tinacms/graphql\u003c/code\u003e version 2.2.1 or earlier are susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@tinacms/graphql\u003c/code\u003e to a patched version (later than 2.2.1) to remediate CVE-2026-33949.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect TinaCMS GraphQL Path Traversal Attempt\u003c/code\u003e to identify attempted exploitation of the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/graphql\u003c/code\u003e endpoint containing suspicious \u003ccode\u003erelativePath\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for file paths within GraphQL mutations, regardless of the underlying operating system.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T17:11:02Z","date_published":"2026-03-30T17:11:02Z","id":"/briefs/2026-04-tinacms-path-traversal/","summary":"A path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root by manipulating the relativePath parameter in GraphQL mutations, leading to potential arbitrary code execution.","title":"TinaCMS GraphQL Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tinacms-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4415","arbitrary-file-write","privilege-escalation","code-execution","gigabyte"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Gigabyte Control Center application is vulnerable to an arbitrary file write vulnerability, identified as CVE-2026-4415. The vulnerability exists because when the \u0026ldquo;pairing\u0026rdquo; feature is enabled, it allows unauthenticated remote attackers to write arbitrary files to any location on the underlying operating system. This issue was reported on March 30, 2026. Successful exploitation could allow attackers to achieve arbitrary code execution or escalate privileges on the affected system. This poses…\u003c/p\u003e\n","date_modified":"2026-03-30T08:16:18Z","date_published":"2026-03-30T08:16:18Z","id":"/briefs/2026-03-gigabyte-file-write/","summary":"Gigabyte Control Center has an Arbitrary File Write vulnerability (CVE-2026-4415) that allows unauthenticated remote attackers to write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation.","title":"Gigabyte Control Center Arbitrary File Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-gigabyte-file-write/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@evomap/evolver"],"_cs_severities":["high"],"_cs_tags":["path-traversal","arbitrary-file-write","privilege-escalation","evolver"],"_cs_type":"advisory","_cs_vendors":["@evomap"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@evomap/evolver\u003c/code\u003e package contains a path traversal vulnerability in its \u003ccode\u003efetch\u003c/code\u003e command, specifically affecting versions prior to 1.69.3. This flaw arises from the insufficient validation of user-supplied paths provided via the \u003ccode\u003e--out\u003c/code\u003e flag. By manipulating this flag, attackers can bypass intended directory restrictions and write files to arbitrary locations on the filesystem. This can lead to critical system file modification, potentially leading to privilege escalation and persistent backdoor installation. The vulnerability exists in the \u003ccode\u003eindex.js\u003c/code\u003e file, where the application processes the \u003ccode\u003e--out\u003c/code\u003e flag without proper sanitization before writing files to the specified directory. This is particularly concerning in automated environments like CI/CD pipelines where user input might be indirectly injected into the \u003ccode\u003efetch\u003c/code\u003e command.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains control over the input to the \u003ccode\u003efetch\u003c/code\u003e command, including the \u003ccode\u003e--out\u003c/code\u003e flag.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003e--out\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../../../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetch\u003c/code\u003e command in \u003ccode\u003eindex.js\u003c/code\u003e processes the \u003ccode\u003e--out\u003c/code\u003e flag and extracts the user-provided path without validation.\u003c/li\u003e\n\u003cli\u003eThe application attempts to create the directory specified by the manipulated \u003ccode\u003e--out\u003c/code\u003e flag using \u003ccode\u003efs.mkdirSync\u003c/code\u003e with the \u003ccode\u003erecursive\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe application writes files (e.g., downloaded skill files) to the directory specified in the \u003ccode\u003e--out\u003c/code\u003e parameter using \u003ccode\u003efs.writeFileSync\u003c/code\u003e, effectively writing to an arbitrary location.\u003c/li\u003e\n\u003cli\u003eIf the attacker has sufficient privileges, they can overwrite critical system files or create new files in sensitive directories like \u003ccode\u003e/etc/cron.d\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified files to achieve persistence (e.g., by creating a cron job).\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious code, gaining unauthorized access or escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write files to arbitrary locations on the filesystem. This can lead to several critical consequences, including overwriting system configuration files, installing persistent backdoors via cron jobs, modifying SSH authorized_keys for unauthorized access, and potentially achieving privilege escalation if the affected process runs with elevated privileges. The impact is particularly severe in automated environments where this tool is used to deploy code, as it opens the door for supply chain attacks. This issue affects users of \u003ccode\u003e@evomap/evolver\u003c/code\u003e prior to version 1.69.3.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003e@evomap/evolver\u003c/code\u003e package to version 1.69.3 or later to remediate the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Evolver Path Traversal Attempt\u003c/code\u003e to identify exploitation attempts based on command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for command-line arguments containing path traversal sequences like \u003ccode\u003e../\u003c/code\u003e when executing \u003ccode\u003enode\u003c/code\u003e or \u003ccode\u003enodejs\u003c/code\u003e related to evolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-08-10T12:00:00Z","date_published":"2024-08-10T12:00:00Z","id":"/briefs/2024-08-evolver-path-traversal/","summary":"A path traversal vulnerability exists in the `fetch` command of `@evomap/evolver` due to insufficient validation of the `--out` flag, allowing attackers to write files to arbitrary locations on the filesystem, potentially leading to overwriting critical system files and privilege escalation.","title":"Evolver Path Traversal Vulnerability in `fetch` Command","url":"https://feed.craftedsignal.io/briefs/2024-08-evolver-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["i18next-fs-backend"],"_cs_severities":["high"],"_cs_tags":["path-traversal","i18next","arbitrary-file-read","arbitrary-file-write","code-execution"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe i18next-fs-backend library, a file system backend for the i18next internationalization framework, is vulnerable to a path traversal attack in versions prior to 2.6.4. This vulnerability arises from the unsanitized use of the \u003ccode\u003elng\u003c/code\u003e (language) and \u003ccode\u003ens\u003c/code\u003e (namespace) parameters when constructing file paths for loading and writing locale files. If an application exposes the language code to user input, an attacker can craft a malicious \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e value containing directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to escape the intended locale directory. Successful exploitation can lead to arbitrary file read, arbitrary file overwrite, and, if \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e files are used for localization, arbitrary code execution. This vulnerability highlights the importance of input validation, especially when constructing file paths from user-controlled data. The vulnerability was patched in version 2.6.4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version of \u003ccode\u003ei18next-fs-backend\u003c/code\u003e (versions prior to 2.6.4) and exposes the language code to user input via query parameters (e.g., \u003ccode\u003e?lng=\u003c/code\u003e), cookies, or request headers.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003elng\u003c/code\u003e value containing directory traversal sequences, such as \u003ccode\u003e../../../../etc\u003c/code\u003e, to target sensitive files outside the intended locale directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the application with the crafted \u003ccode\u003elng\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application passes the unsanitized \u003ccode\u003elng\u003c/code\u003e value to the \u003ccode\u003ei18next.t()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ei18next-fs-backend\u003c/code\u003e library interpolates the malicious \u003ccode\u003elng\u003c/code\u003e value into the \u003ccode\u003eloadPath\u003c/code\u003e configuration option, without proper validation.  For example, \u003ccode\u003eloadPath: '/locales/{{lng}}/{{ns}}.json'\u003c/code\u003e becomes \u003ccode\u003e/locales/../../../../etc/{{ns}}.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe backend attempts to read the file specified by the crafted path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the targeted file are returned as a translation resource, potentially exposing sensitive information. If the attacker crafted the \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e value to point to a \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e file containing malicious code, the backend will execute the file using \u003ccode\u003eeval()\u003c/code\u003e, leading to arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eAlternatively, if the application attempts to write a missing translation key using the crafted path (via \u003ccode\u003eaddPath\u003c/code\u003e), the attacker could overwrite arbitrary files on the system, potentially leading to application compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have severe consequences. Arbitrary file read allows attackers to access sensitive data, such as configuration files, database credentials, or application source code. Arbitrary file overwrite can lead to application malfunction or complete compromise. If the application uses \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e files for localization and the attacker is able to inject malicious code into those files through path traversal, arbitrary code execution can result, potentially allowing the attacker to gain full control of the server. The number of victims depends on the popularity and configuration of applications using the vulnerable \u003ccode\u003ei18next-fs-backend\u003c/code\u003e library.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ei18next-fs-backend\u003c/code\u003e version 2.6.4 or later to patch the path traversal vulnerability as this version introduces the \u003ccode\u003eisSafePathSegment\u003c/code\u003e and \u003ccode\u003einterpolatePath\u003c/code\u003e functions to sanitize the path.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, sanitize the \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e values at the application boundary before passing them to \u003ccode\u003ei18next\u003c/code\u003e. Reject values containing \u003ccode\u003e..\u003c/code\u003e, \u003ccode\u003e/\u003c/code\u003e, \u003ccode\u003e\\\u003c/code\u003e, control characters, and limit the length to prevent path traversal as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e locale files, carefully review them for any suspicious or unexpected code. The advisory highlights that these files must be treated as trusted code.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing directory traversal sequences in the \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e parameters. Deploy the first Sigma rule for this purpose.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-25-i18next-fs-backend-path-traversal/","summary":"i18next-fs-backend versions before 2.6.4 are vulnerable to path traversal due to insufficient sanitization of the lng and ns values, potentially allowing attackers to read arbitrary files, overwrite files, or execute code if .js or .ts locale files are in use.","title":"i18next-fs-backend Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-25-i18next-fs-backend-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Arbitrary-File-Write","version":"https://jsonfeed.org/version/1.1"}