{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/evomap/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@evomap/evolver (\u003c= 1.70.0-beta.4)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","evomap"],"_cs_type":"advisory","_cs_vendors":["evomap"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@evomap/evolver\u003c/code\u003e package, specifically versions 1.70.0-beta.4 and earlier, contains a path traversal vulnerability in the \u003ccode\u003eevolver fetch\u003c/code\u003e subcommand. This vulnerability resides within \u003ccode\u003eindex.js\u003c/code\u003e and allows a malicious A2A Hub to overwrite project files, ultimately leading to remote code execution (RCE). The flaw stems from insufficient sanitization of the \u003ccode\u003eskill_id\u003c/code\u003e parameter, where a regex allow-list permits the use of \u003ccode\u003e.\u003c/code\u003e characters. An attacker can exploit this by uploading a malicious skill to the A2A Hub with a crafted \u003ccode\u003eskill_id\u003c/code\u003e of \u003ccode\u003e..\u003c/code\u003e and a bundled file such as \u003ccode\u003eindex.js\u003c/code\u003e containing attacker-controlled JavaScript code. When a victim fetches the malicious skill, their \u003ccode\u003eindex.js\u003c/code\u003e file is overwritten. The next time the victim invokes \u003ccode\u003enode index.js\u003c/code\u003e, even with a simple command like \u003ccode\u003e--help\u003c/code\u003e, the malicious code executes with the victim\u0026rsquo;s privileges, giving the attacker control of the victim\u0026rsquo;s environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker uploads a malicious skill to the A2A Hub, setting the \u003ccode\u003eskill_id\u003c/code\u003e to \u003ccode\u003e..\u003c/code\u003e. The malicious skill also includes a \u003ccode\u003ebundled_files\u003c/code\u003e array containing a file named \u003ccode\u003eindex.js\u003c/code\u003e with malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe victim runs \u003ccode\u003enode index.js fetch --skill=anything\u003c/code\u003e to download the skill.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eevolver fetch\u003c/code\u003e command in \u003ccode\u003eindex.js\u003c/code\u003e uses \u003ccode\u003epath.join('.', 'skills', safeId)\u003c/code\u003e to determine the output directory, where \u003ccode\u003esafeId\u003c/code\u003e is the attacker-controlled \u003ccode\u003eskill_id\u003c/code\u003e after regex sanitization. Since \u003ccode\u003esafeId\u003c/code\u003e is \u003ccode\u003e..\u003c/code\u003e, the output directory resolves to the current working directory.\u003c/li\u003e\n\u003cli\u003eThe code proceeds to iterate over the \u003ccode\u003ebundled_files\u003c/code\u003e array from the Hub response and writes each file to the output directory.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal, the attacker-supplied \u003ccode\u003eindex.js\u003c/code\u003e file overwrites the original \u003ccode\u003eindex.js\u003c/code\u003e file in the victim\u0026rsquo;s current working directory.\u003c/li\u003e\n\u003cli\u003eThe victim subsequently invokes \u003ccode\u003enode index.js \u0026lt;command\u0026gt;\u003c/code\u003e, which executes the attacker-controlled JavaScript code due to the overwritten \u003ccode\u003eindex.js\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution with the privileges of the victim\u0026rsquo;s user account.\u003c/li\u003e\n\u003cli\u003eThe attacker can maintain persistence by using the \u003ccode\u003erun --loop\u003c/code\u003e daemon mode and injecting commands or establishing reverse shells.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to remote code execution on the victim\u0026rsquo;s machine with the privileges of the \u003ccode\u003eevolver\u003c/code\u003e process. This allows the attacker to execute arbitrary commands, install malware, steal sensitive data, or compromise the entire system. The impact is amplified because the loop daemon (\u003ccode\u003enode index.js run --loop\u003c/code\u003e) is the documented long-running mode, resulting in the malicious code being executed rapidly after the next daemon iteration. This vulnerability allows an attacker to compromise every user that fetches the malicious skill with a single malicious skill upload. Furthermore, the attacker can also overwrite other files like \u003ccode\u003epackage.json\u003c/code\u003e, potentially leading to further compromise of the victim\u0026rsquo;s system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to download skills with suspicious \u003ccode\u003eskill_id\u003c/code\u003e values from the A2A Hub.\u003c/li\u003e\n\u003cli\u003eApply the provided patch to \u003ccode\u003eindex.js\u003c/code\u003e to reject \u003ccode\u003esafeId\u003c/code\u003e values that are not single non-traversing path segments, or reuse the same \u003ccode\u003epath.relative\u003c/code\u003e check used in the \u003ccode\u003e--out\u003c/code\u003e branch.\u003c/li\u003e\n\u003cli\u003eConsider removing \u003ccode\u003e.\u003c/code\u003e from the regex allow-list used to sanitize the \u003ccode\u003eskill_id\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement signature verification on the Hub response payload before writing any file to disk.\u003c/li\u003e\n\u003cli\u003eDisallow bundled-file \u003ccode\u003esafeName\u003c/code\u003e values that match top-level project files (\u003ccode\u003eindex.js\u003c/code\u003e, \u003ccode\u003epackage.json\u003c/code\u003e, \u003ccode\u003epackage-lock.json\u003c/code\u003e, etc.) regardless of \u003ccode\u003eoutDir\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T12:00:00Z","date_published":"2026-05-06T12:00:00Z","id":"/briefs/2026-05-evomap-path-traversal/","summary":"A path traversal vulnerability in `@evomap/evolver` allows a malicious A2A Hub to overwrite project files, leading to remote code execution when a user fetches a malicious skill.","title":"@evomap/evolver Path Traversal Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-05-evomap-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Evomap","version":"https://jsonfeed.org/version/1.1"}