Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 6 npm packages depend on @tinacms/graphql (3 direct, 3 indirect)
Ecosystem-wide dependent count for version 2.2.2.
DescriptionGitHub Advisory
Summary
@tinacms/graphql uses string-based path containment checks in FilesystemBridge:
path.resolve(path.join(baseDir, filepath))startsWith(resolvedBase + path.sep)
That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it.
As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root.
Details
The current bridge validation is:
function assertWithinBase(filepath: string, baseDir: string): string {
const resolvedBase = path.resolve(baseDir);
const resolved = path.resolve(path.join(baseDir, filepath));
if (
resolved !== resolvedBase &&
!resolved.startsWith(resolvedBase + path.sep)
) {
throw new Error(
`Path traversal detected: "${filepath}" escapes the base directory`
);
}
return resolved;
}But the bridge then performs real filesystem I/O on the resulting path:
public async get(filepath: string) {
const resolved = assertWithinBase(filepath, this.outputPath);
return (await fs.readFile(resolved)).toString();
}
public async put(filepath: string, data: string, basePathOverride?: string) {
const basePath = basePathOverride || this.outputPath;
const resolved = assertWithinBase(filepath, basePath);
await fs.outputFile(resolved, data);
}
public async delete(filepath: string) {
const resolved = assertWithinBase(filepath, this.outputPath);
await fs.remove(resolved);
}This is a classic realpath gap:
- validation checks the lexical path string
- the filesystem follows the link target during I/O
- the actual target can be outside the intended root
This is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled relativePath, but that validation is also string-based:
const realPath = path.join(collection.path, relativePath);
this.validatePath(realPath, collection, relativePath);Database write and delete operations then call the bridge:
await this.bridge.put(normalizedPath, stringifiedFile);
...
await this.bridge.delete(normalizedPath);Local Reproduction
This was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.
Test layout:
- content root:
D:\bugcrowd\tinacms\temp\junction-repro4 - allowed collection path:
content/posts - junction inside collection:
content/posts/pivot -> D:\bugcrowd\tinacms\temp\junction-repro4\outside - file outside content root:
outside\secret.txt
Tina's current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.
Observed result:
{
"graphqlBridge": {
"collectionPath": "content/posts",
"requestedRelativePath": "pivot/owned.md",
"validatedRealPath": "content\\posts\\pivot\\owned.md",
"bridgeResolvedPath": "D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\content\\posts\\pivot\\owned.md",
"bridgeRead": "TOP_SECRET_FROM_OUTSIDE\\r\\n",
"outsideGraphqlWriteExists": true,
"outsideGraphqlWriteContents": "GRAPHQL_ESCAPE"
}
}That is the critical point:
- the path was accepted as inside
content/posts - the bridge read
outside\secret.txt - the bridge wrote
outside\owned.md
So the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.
Impact
- Arbitrary file read/write outside the configured content root
- Potential delete outside the configured content root via the same
assertWithinBase()gap indelete() - Breaks the assumptions of the recent path-traversal fixes because only lexical traversal is blocked
- Practical attack chains where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations
The exact network exploitability depends on how the application exposes Tina's GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.
Recommended Fix
The containment check needs to compare canonical filesystem paths, not just string-normalized paths.
For example:
- resolve the base with
fs.realpath() - resolve the candidate path's parent with
fs.realpath() - reject any request whose real target path escapes the real base
- for write operations, carefully canonicalize the nearest existing parent directory before creating the final file
In short: use realpath-aware containment checks for every filesystem sink, not path.resolve(...).startsWith(...) alone.
Resources
packages/@tinacms/graphql/src/database/bridge/filesystem.tspackages/@tinacms/graphql/src/database/index.tspackages/@tinacms/graphql/src/resolver/index.ts
AnalysisAI
Path traversal via symlink/junction bypass in @tinacms/graphql FilesystemBridge allows authenticated remote attackers with low privileges to read, write, and delete arbitrary files outside the configured content root. The vulnerability exploits a realpath canonicalization gap where path validation checks lexical string paths but filesystem operations follow symlink targets. Attack complexity is high (CVSS AC:H) as it requires pre-existing symlinks/junctions within the content tree or the ability
Technical ContextAI
The vulnerability resides in @tinacms/graphql's FilesystemBridge class, which implements content management filesystem operations. The bridge uses path.resolve() combined with startsWith() string checks to validate that requested file paths remain within the configured base directory. This is a classic TOCTOU (Time-of-Check-Time-of-Use) variant specific to filesystem semantics: the validation operates on lexical path strings (path.resolve() only normalizes directory separators and resolves '..' segments syntactically), but subsequent fs.readFile(), fs.outputFile(), and fs.remove() operations follow symlinks and Windows junctions to their actual targets. This creates a realpath canonicalization gap where a path like 'content/posts/pivot/owned.md' passes validation if 'pivot' is a symlink, even though the real target resolves to a location outside the content root (e.g., '/etc/passwd' or 'C:\Windows\System32\config'). The vulnerability is exploitable through Tina's GraphQL resolver layer, which constructs file paths from user-controlled 'relativePath' parameters and passes them to bridge methods. CWE-22 (Path Traversal) accurately categorizes this as improper limitation of pathname, though the specific failure mode is symlink-following rather than '../' sequence injection.
RemediationAI
Apply the vendor-released patch immediately by upgrading to a TinaCMS version that includes commit f124eabaca10dac9a4d765c9e4135813c4830955 or later. The patch is available at https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955. The fix implements realpath-aware canonicalization by resolving both the base directory and candidate file paths using fs.realpath() before performing containment checks, ensuring validation operates on actual filesystem targets rather than lexical path strings. For write operations, the patch canonicalizes the nearest existing parent directory before creating files to prevent race conditions. If immediate patching is not feasible, implement the following interim controls: audit all content repositories for existing symlinks and junctions, removing any that point outside the intended content root; enforce strict access controls on content write operations to prevent authenticated users from creating symlinks; deploy filesystem monitoring to detect symlink creation attempts; consider running the TinaCMS process with restricted filesystem permissions using chroot jails or containers to limit damage from successful exploitation. Review application logs for suspicious file access patterns involving nested paths that might indicate exploitation attempts. Consult the full security advisory at https://github.com/advisories/GHSA-g9c2-gf25-3x67 for additional vendor guidance.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17965
GHSA-g9c2-gf25-3x67