Arbitrary-File-Write — CraftedSignal Threat Feed

Zarf Path Traversal Vulnerability via Malicious Package Metadata.Name

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

Zarf, a tool for air-gapped deployments, is susceptible to a path traversal vulnerability (CVE-2026-40090) affecting versions prior to v0.74.2. The vulnerability stems from inadequate sanitization of the Metadata.Name field within Zarf package manifests. When a user employs the zarf package inspect sbom or zarf package inspect documentation commands on an untrusted package, the tool constructs output file paths by concatenating a user-controlled output directory with the package’s Metadata.Name field. A malicious actor can craft a Zarf package with a manipulated Metadata.Name containing path traversal sequences (e.g., ../../), enabling arbitrary file write capabilities within the permissions of the user running the inspect command. This vulnerability allows attackers to write to locations they control, potentially leading to privilege escalation or system compromise.

Attack Chain

Attacker crafts a malicious Zarf package.
The attacker modifies the zarf.yaml manifest within the package to include a Metadata.Name field containing path traversal sequences (e.g., ../../../../tmp/evil).
The attacker repacks the Zarf package, recalculating checksums if necessary.
The attacker distributes the malicious Zarf package.
A victim user downloads the malicious Zarf package.
The victim executes zarf package inspect sbom --output-dir /tmp or zarf package inspect documentation --output-dir /tmp .
Zarf extracts the Metadata.Name from the zarf.yaml file.
Zarf constructs an output path by joining the user-specified output directory (/tmp) with the malicious Metadata.Name (../../../../tmp/evil), resulting in /tmp/../../../../tmp/evil. The tool attempts to write the SBOM or documentation data to this path, resulting in writing the file to /tmp/evil. This allows attackers to write files such as SSH authorized keys, cron jobs, or shell profiles.

Impact

Successful exploitation of this vulnerability allows an attacker to write arbitrary files to the file system, limited by the permissions of the user running the zarf package inspect command. This can lead to several critical consequences: privilege escalation by writing to authorized_keys files, arbitrary code execution by writing cron jobs, or persistent compromise by writing to shell profiles. This vulnerability affects users running the zarf package inspect sbom or zarf package inspect documentation command on untrusted packages. The affected packages are go/github.com/zarf-dev/zarf versions >= 0.23.0 and < 0.74.2.

Recommendation

Upgrade Zarf to version v0.74.2 or later to patch CVE-2026-40090.
Avoid inspecting unsigned Zarf packages as a workaround until the upgrade is complete, as mentioned in the advisory.
Deploy the Sigma rule “Detect Zarf Package Inspection with Path Traversal” to identify attempts to exploit this vulnerability via command-line arguments.
Monitor file creation events in sensitive directories (e.g., /home/$USER/.ssh, /etc/cron.d) for files created by the zarf binary using the “Detect Zarf Arbitrary File Write” Sigma rule.

TinaCMS GraphQL Path Traversal Vulnerability

hello@craftedsignal.io — Mon, 30 Mar 2026 17:11:02 +0000

A path traversal vulnerability has been identified in versions 2.2.1 and earlier of @tinacms/graphql, a GraphQL API for TinaCMS. This flaw enables unauthenticated attackers to write and overwrite arbitrary files within the project root directory. The vulnerability stems from insufficient validation of the relativePath parameter within GraphQL mutations. By exploiting this weakness, attackers can overwrite critical server configuration files like package.json and tsconfig.json, inject malicious scripts into the public/ directory, and even achieve arbitrary code execution by modifying build scripts or server-side logic files. This vulnerability poses a significant risk to systems utilizing vulnerable versions of @tinacms/graphql.

Attack Chain

An attacker identifies a TinaCMS instance running a vulnerable version of @tinacms/graphql (<= 2.2.1).
The attacker crafts a malicious GraphQL mutation request targeting the updateDocument mutation.
Within the mutation, the attacker manipulates the relativePath parameter to include a path traversal sequence, such as x\\\\..\\\\..\\\\..\\\\package.json. The backslashes are misinterpreted on non-Windows systems.
The vulnerable getValidatedPath function fails to properly sanitize the malicious path due to the backslash bypass on non-Windows platforms.
The request is processed, and the server attempts to write to the attacker-specified file path.
The file system API resolves the path traversal sequence, leading to a write operation outside the intended directory.
The attacker overwrites a critical file, such as package.json, with malicious content.
The server or build process executes the modified file, resulting in arbitrary code execution or other malicious behavior.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to perform arbitrary file writes, leading to several critical consequences. Attackers can overwrite server configuration files, inject malicious scripts for client-side attacks, and achieve arbitrary code execution by modifying build scripts or server-side logic. The impact ranges from denial of service to complete system compromise. While the exact number of affected systems is unknown, all TinaCMS instances running @tinacms/graphql version 2.2.1 or earlier are susceptible.

Recommendation

Upgrade @tinacms/graphql to a patched version (later than 2.2.1) to remediate CVE-2026-33949.
Deploy the Sigma rule Detect TinaCMS GraphQL Path Traversal Attempt to identify attempted exploitation of the vulnerability.
Monitor web server logs for POST requests to the /graphql endpoint containing suspicious relativePath parameters.
Implement strict input validation and sanitization for file paths within GraphQL mutations, regardless of the underlying operating system.

Gigabyte Control Center Arbitrary File Write Vulnerability

hello@craftedsignal.io — Mon, 30 Mar 2026 08:16:18 +0000

The Gigabyte Control Center application is vulnerable to an arbitrary file write vulnerability, identified as CVE-2026-4415. The vulnerability exists because when the “pairing” feature is enabled, it allows unauthenticated remote attackers to write arbitrary files to any location on the underlying operating system. This issue was reported on March 30, 2026. Successful exploitation could allow attackers to achieve arbitrary code execution or escalate privileges on the affected system. This poses…

Evolver Path Traversal Vulnerability in `fetch` Command

hello@craftedsignal.io — Sat, 10 Aug 2024 12:00:00 +0000

The @evomap/evolver package contains a path traversal vulnerability in its fetch command, specifically affecting versions prior to 1.69.3. This flaw arises from the insufficient validation of user-supplied paths provided via the --out flag. By manipulating this flag, attackers can bypass intended directory restrictions and write files to arbitrary locations on the filesystem. This can lead to critical system file modification, potentially leading to privilege escalation and persistent backdoor installation. The vulnerability exists in the index.js file, where the application processes the --out flag without proper sanitization before writing files to the specified directory. This is particularly concerning in automated environments like CI/CD pipelines where user input might be indirectly injected into the fetch command.

Attack Chain

The attacker gains control over the input to the fetch command, including the --out flag.
The attacker crafts a malicious --out parameter containing path traversal sequences (e.g., ../../../).
The fetch command in index.js processes the --out flag and extracts the user-provided path without validation.
The application attempts to create the directory specified by the manipulated --out flag using fs.mkdirSync with the recursive option.
The application writes files (e.g., downloaded skill files) to the directory specified in the --out parameter using fs.writeFileSync, effectively writing to an arbitrary location.
If the attacker has sufficient privileges, they can overwrite critical system files or create new files in sensitive directories like /etc/cron.d.
The attacker leverages the modified files to achieve persistence (e.g., by creating a cron job).
The attacker executes malicious code, gaining unauthorized access or escalating privileges.

Impact

Successful exploitation of this vulnerability allows an attacker to write files to arbitrary locations on the filesystem. This can lead to several critical consequences, including overwriting system configuration files, installing persistent backdoors via cron jobs, modifying SSH authorized_keys for unauthorized access, and potentially achieving privilege escalation if the affected process runs with elevated privileges. The impact is particularly severe in automated environments where this tool is used to deploy code, as it opens the door for supply chain attacks. This issue affects users of @evomap/evolver prior to version 1.69.3.

Recommendation

Upgrade the @evomap/evolver package to version 1.69.3 or later to remediate the path traversal vulnerability.
Deploy the Sigma rule Detect Evolver Path Traversal Attempt to identify exploitation attempts based on command-line arguments.
Monitor process creation events for command-line arguments containing path traversal sequences like ../ when executing node or nodejs related to evolver.

i18next-fs-backend Path Traversal Vulnerability

hello@craftedsignal.io — Thu, 25 Jan 2024 12:00:00 +0000

The i18next-fs-backend library, a file system backend for the i18next internationalization framework, is vulnerable to a path traversal attack in versions prior to 2.6.4. This vulnerability arises from the unsanitized use of the lng (language) and ns (namespace) parameters when constructing file paths for loading and writing locale files. If an application exposes the language code to user input, an attacker can craft a malicious lng or ns value containing directory traversal sequences (e.g., ../) to escape the intended locale directory. Successful exploitation can lead to arbitrary file read, arbitrary file overwrite, and, if .js or .ts files are used for localization, arbitrary code execution. This vulnerability highlights the importance of input validation, especially when constructing file paths from user-controlled data. The vulnerability was patched in version 2.6.4.

Attack Chain

An attacker identifies an application using a vulnerable version of i18next-fs-backend (versions prior to 2.6.4) and exposes the language code to user input via query parameters (e.g., ?lng=), cookies, or request headers.
The attacker crafts a malicious lng value containing directory traversal sequences, such as ../../../../etc, to target sensitive files outside the intended locale directory.
The attacker sends a request to the application with the crafted lng parameter.
The application passes the unsanitized lng value to the i18next.t() function.
The i18next-fs-backend library interpolates the malicious lng value into the loadPath configuration option, without proper validation. For example, loadPath: '/locales/{{lng}}/{{ns}}.json' becomes /locales/../../../../etc/{{ns}}.json.
The backend attempts to read the file specified by the crafted path (e.g., /etc/passwd).
If successful, the contents of the targeted file are returned as a translation resource, potentially exposing sensitive information. If the attacker crafted the lng or ns value to point to a .js or .ts file containing malicious code, the backend will execute the file using eval(), leading to arbitrary code execution on the server.
Alternatively, if the application attempts to write a missing translation key using the crafted path (via addPath), the attacker could overwrite arbitrary files on the system, potentially leading to application compromise.

Impact

Successful exploitation of this vulnerability can have severe consequences. Arbitrary file read allows attackers to access sensitive data, such as configuration files, database credentials, or application source code. Arbitrary file overwrite can lead to application malfunction or complete compromise. If the application uses .js or .ts files for localization and the attacker is able to inject malicious code into those files through path traversal, arbitrary code execution can result, potentially allowing the attacker to gain full control of the server. The number of victims depends on the popularity and configuration of applications using the vulnerable i18next-fs-backend library.

Recommendation

Upgrade to i18next-fs-backend version 2.6.4 or later to patch the path traversal vulnerability as this version introduces the isSafePathSegment and interpolatePath functions to sanitize the path.
If upgrading is not immediately feasible, sanitize the lng and ns values at the application boundary before passing them to i18next. Reject values containing .., /, \, control characters, and limit the length to prevent path traversal as mentioned in the advisory.
If using .js or .ts locale files, carefully review them for any suspicious or unexpected code. The advisory highlights that these files must be treated as trusted code.
Monitor web server logs for suspicious requests containing directory traversal sequences in the lng or ns parameters. Deploy the first Sigma rule for this purpose.