{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/prompty/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-53597"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@prompty/core"],"_cs_severities":["high"],"_cs_tags":["arbitrary-code-execution","supply-chain","vulnerability","nodejs","typescript"],"_cs_type":"advisory","_cs_vendors":["Prompty"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-53597, affects the Prompty TypeScript loader, specifically the \u003ccode\u003e@prompty/core\u003c/code\u003e npm package in versions \u003ccode\u003e\u0026gt;= 2.0.0-alpha.1\u003c/code\u003e up to but not including \u003ccode\u003e2.0.0-beta.3\u003c/code\u003e. The vulnerability stems from the library's use of \u003ccode\u003egray-matter\u003c/code\u003e for parsing frontmatter in \u003ccode\u003e.prompty\u003c/code\u003e files without properly disabling or overriding executable frontmatter engines. \u003ccode\u003egray-matter\u003c/code\u003e, by default, supports and evaluates JavaScript frontmatter blocks, indicated by \u003ccode\u003e---js\u003c/code\u003e. This oversight allows an attacker to craft a malicious \u003ccode\u003e.prompty\u003c/code\u003e file containing arbitrary JavaScript code within such a block. When an application loads and parses this untrusted file, the embedded JavaScript is executed in the context of the host Node.js process, leading to arbitrary code execution. This poses a significant risk to applications that process user-provided or untrusted \u003ccode\u003e.prompty\u003c/code\u003e files, prompt paths, or prompt bundles.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.prompty\u003c/code\u003e file containing a \u003ccode\u003e---js\u003c/code\u003e frontmatter block.\u003c/li\u003e\n\u003cli\u003eWithin this JavaScript frontmatter block, the attacker embeds arbitrary JavaScript code designed to achieve their objective (e.g., remote code execution, data exfiltration).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this malicious \u003ccode\u003e.prompty\u003c/code\u003e file to a victim organization, potentially through social engineering or by placing it in an accessible repository.\u003c/li\u003e\n\u003cli\u003eA victim application, utilizing the vulnerable \u003ccode\u003e@prompty/core\u003c/code\u003e package (versions \u003ccode\u003e\u0026gt;= 2.0.0-alpha.1 \u0026lt; 2.0.0-beta.3\u003c/code\u003e), loads or processes the untrusted \u003ccode\u003e.prompty\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eDuring the parsing process, \u003ccode\u003e@prompty/core\u003c/code\u003e invokes the \u003ccode\u003egray-matter\u003c/code\u003e library to extract and process the file's frontmatter.\u003c/li\u003e\n\u003cli\u003eAs \u003ccode\u003e@prompty/core\u003c/code\u003e does not override \u003ccode\u003egray-matter\u003c/code\u003e's default behavior, the \u003ccode\u003e---js\u003c/code\u003e frontmatter engine is activated and the embedded JavaScript code is evaluated.\u003c/li\u003e\n\u003cli\u003eThe attacker's arbitrary JavaScript payload executes with the permissions of the Node.js process running the victim application.\u003c/li\u003e\n\u003cli\u003eThis leads to arbitrary code execution on the host system, potentially enabling system compromise, data theft, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eApplications that load untrusted \u003ccode\u003e.prompty\u003c/code\u003e files or prompt bundles from less-trusted locations are susceptible to arbitrary JavaScript execution. If exploited, an attacker could execute arbitrary code within the host Node.js process, potentially leading to full system compromise, data exfiltration, or disruption of service. This can result in significant financial, reputational, and operational damage, depending on the privileges and sensitive data accessible by the compromised Node.js application. While specific victim counts are not available, any organization deploying applications using the vulnerable \u003ccode\u003e@prompty/core\u003c/code\u003e versions that handle untrusted inputs is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003e@prompty/core\u003c/code\u003e package to version \u003ccode\u003e2.0.0-beta.3\u003c/code\u003e or later immediately to remediate the CVE-2026-53597 vulnerability.\u003c/li\u003e\n\u003cli\u003eEnsure that application environments are configured to prevent the execution of untrusted code, even if a parsing vulnerability exists.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T19:54:50Z","date_published":"2026-07-17T19:54:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-arbitrary-code-execution-prompty/","summary":"A high-severity vulnerability, CVE-2026-53597, in the Prompty TypeScript loader (`@prompty/core`) versions `\u003e= 2.0.0-alpha.1 \u003c 2.0.0-beta.3` allows arbitrary JavaScript code execution in the host Node.js process when parsing untrusted `.prompty` files due to improper handling of `gray-matter`'s executable frontmatter engines.","title":"Arbitrary Code Execution via JavaScript Frontmatter in Prompty TypeScript Loader","url":"https://feed.craftedsignal.io/briefs/2026-07-arbitrary-code-execution-prompty/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-53598"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["prompty (PyPI) \u003c= 2.0.0b1","@prompty/core (npm) \u003c= 2.0.0-beta.1","prompty (crates.io) \u003c= 2.0.0-beta.1","Prompty.Core (NuGet) \u003c= 2.0.0-beta.1"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-read","path-traversal","code-execution","prompty"],"_cs_type":"advisory","_cs_vendors":["Prompty"],"content_html":"\u003cp\u003eCVE-2026-53598 describes an arbitrary file read vulnerability affecting Prompty libraries across multiple ecosystems, including PyPI \u003ccode\u003eprompty\u003c/code\u003e (versions \u003ccode\u003e\u0026lt;= 2.0.0b1\u003c/code\u003e), npm \u003ccode\u003e@prompty/core\u003c/code\u003e (versions \u003ccode\u003e\u0026lt;= 2.0.0-beta.1\u003c/code\u003e), crates.io \u003ccode\u003eprompty\u003c/code\u003e (versions \u003ccode\u003e\u0026lt;= 2.0.0-beta.1\u003c/code\u003e), and NuGet \u003ccode\u003ePrompty.Core\u003c/code\u003e (versions \u003ccode\u003e\u0026lt;= 2.0.0-beta.1\u003c/code\u003e). This flaw stems from improper validation of \u003ccode\u003e${file:...}\u003c/code\u003e references within \u003ccode\u003e.prompty\u003c/code\u003e frontmatter, allowing path traversal (\u003ccode\u003e../\u003c/code\u003e) or absolute paths to read files outside the intended directory. Threat actors could exploit this by providing a specially crafted \u003ccode\u003e.prompty\u003c/code\u003e file to a vulnerable application, leading to the disclosure of sensitive local files accessible to the application's process. The vulnerability was patched in versions \u003ccode\u003e2.0.0b2\u003c/code\u003e and \u003ccode\u003e2.0.0-beta.2\u003c/code\u003e, which enforce stricter path restrictions and canonicalization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.prompty\u003c/code\u003e file containing a \u003ccode\u003e${file:...}\u003c/code\u003e reference with a path traversal sequence (e.g., \u003ccode\u003e${file:../etc/passwd}\u003c/code\u003e) or an absolute path (e.g., \u003ccode\u003e${file:/etc/shadow}\u003c/code\u003e) in its frontmatter.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this malicious \u003ccode\u003e.prompty\u003c/code\u003e file to a vulnerable application or convinces a victim to load it, targeting applications using PyPI \u003ccode\u003eprompty\u003c/code\u003e (\u0026lt;= 2.0.0b1), npm \u003ccode\u003e@prompty/core\u003c/code\u003e (\u0026lt;= 2.0.0-beta.1), crates.io \u003ccode\u003eprompty\u003c/code\u003e (\u0026lt;= 2.0.0-beta.1), or NuGet \u003ccode\u003ePrompty.Core\u003c/code\u003e (\u0026lt;= 2.0.0-beta.1).\u003c/li\u003e\n\u003cli\u003eThe vulnerable application loads the untrusted \u003ccode\u003e.prompty\u003c/code\u003e file, which includes the frontmatter containing the crafted file reference.\u003c/li\u003e\n\u003cli\u003eThe Prompty loader attempts to expand the \u003ccode\u003e${file:...}\u003c/code\u003e reference during processing without properly validating the resolved path against authorized directories or canonicalizing it.\u003c/li\u003e\n\u003cli\u003eThe Prompty library's internal logic resolves the path traversal or absolute path, causing the application to read the arbitrary file from the host system.\u003c/li\u003e\n\u003cli\u003eThe content of the sensitive file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, \u003ccode\u003e/etc/shadow\u003c/code\u003e, configuration files) is then processed by the application.\u003c/li\u003e\n\u003cli\u003eThe application may log the content, include it in a response, or otherwise expose it, allowing the attacker to receive or extract the contents of the arbitrary file.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves sensitive information disclosure, obtaining unauthorized access to local system files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eApplications that process untrusted \u003ccode\u003e.prompty\u003c/code\u003e files are at severe risk of arbitrary file disclosure due to CVE-2026-53598. Successful exploitation could lead to attackers reading any file accessible to the vulnerable application's process, including critical configuration files, user credentials, application source code, or sensitive private data. While no specific victim counts are provided, any organization utilizing affected Prompty versions in environments that parse external or user-provided prompt files is vulnerable to significant information theft. The potential damage includes intellectual property loss, system compromise through leaked credentials, and privacy breaches if personal data is exposed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all PyPI \u003ccode\u003eprompty\u003c/code\u003e installations to version \u003ccode\u003e2.0.0b2\u003c/code\u003e or higher immediately to remediate CVE-2026-53598.\u003c/li\u003e\n\u003cli\u003eUpgrade all npm \u003ccode\u003e@prompty/core\u003c/code\u003e installations to \u003ccode\u003e2.0.0-beta.2\u003c/code\u003e or higher immediately to remediate CVE-2026-53598.\u003c/li\u003e\n\u003cli\u003eUpgrade all crates.io \u003ccode\u003eprompty\u003c/code\u003e installations to \u003ccode\u003e2.0.0-beta.2\u003c/code\u003e or higher immediately to remediate CVE-2026-53598.\u003c/li\u003e\n\u003cli\u003eUpgrade all NuGet \u003ccode\u003ePrompty.Core\u003c/code\u003e installations to \u003ccode\u003e2.0.0-beta.2\u003c/code\u003e or higher immediately to remediate CVE-2026-53598.\u003c/li\u003e\n\u003cli\u003eReview application logs for CVE-2026-53598 exploitation attempts, specifically looking for \u003ccode\u003eprompty\u003c/code\u003e library operations attempting to access files outside expected asset directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T19:47:13Z","date_published":"2026-07-17T19:47:13Z","id":"https://feed.craftedsignal.io/briefs/2026-07-prompty-arbitrary-file-read/","summary":"A path traversal vulnerability, CVE-2026-53598, in Prompty loaders allows an attacker-controlled `.prompty` file to read arbitrary files accessible to the host application process due to improper validation of `${file:...}` references in frontmatter, leading to sensitive local file disclosure.","title":"Prompty Arbitrary File Read Vulnerability via File Reference Expansion (CVE-2026-53598)","url":"https://feed.craftedsignal.io/briefs/2026-07-prompty-arbitrary-file-read/"}],"language":"en","title":"CraftedSignal Threat Feed - Prompty","version":"https://jsonfeed.org/version/1.1"}