Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attackers can supply traversal-style values or absolute paths as the agent name to influence directory creation and write files outside the intended custom-agent directory, potentially achieving arbitrary file write on the system subject to filesystem permissions.
AnalysisAI
Path traversal in ByteDance DeerFlow's bootstrap-mode custom-agent creation allows authenticated remote attackers to write arbitrary files outside intended directories. Affected versions prior to commit 2176b2b fail to validate agent names, enabling directory traversal sequences (../) or absolute paths to bypass containment controls. Successful exploitation achieves arbitrary file write subject to application process permissions, enabling configuration tampering, code injection, or denial of service. Vendor patch available via GitHub commit 2176b2b. EPSS data unavailable; not currently listed in CISA KEV. Publicly available exploit code exists (GitHub PR #2274 demonstrates vulnerability).
Technical ContextAI
DeerFlow is ByteDance's workflow orchestration platform for machine learning pipelines. This vulnerability affects the bootstrap-mode functionality responsible for creating custom agent configurations. The flaw stems from insufficient input validation (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) when processing user-supplied agent names during the creation workflow. The application fails to sanitize path traversal sequences (../, ..\ ) and absolute paths before using the agent name parameter in filesystem operations. When an authenticated user creates a custom agent, the unsanitized name is passed to directory creation and file write operations, allowing attackers to escape the intended custom-agent directory tree. The CVSS:4.0 vector (AV:N/AC:L/PR:L) confirms this is a network-accessible attack with low complexity requiring only low-privilege authentication. The affected CPE (cpe:2.3:a:bytedance:deer-flow) indicates all pre-patch versions are vulnerable, with the fix implemented in commit 2176b2b.
RemediationAI
Upgrade to ByteDance DeerFlow commit 2176b2bbfccfce25ceee08318813f96d843a13fd or later, which implements proper path validation for agent names in bootstrap-mode custom-agent creation. The patch is available via GitHub at https://github.com/bytedance/deer-flow/commit/2176b2bbfccfce25ceee08318813f96d843a13fd. Organizations unable to immediately patch should implement defense-in-depth controls: (1) Restrict custom-agent creation permissions to trusted administrator accounts only, reducing the attack surface to insider threats; (2) Deploy filesystem-level write restrictions ensuring the DeerFlow application process cannot write to sensitive directories like configuration roots, binary directories, or web-accessible paths (note: this limits impact but does not prevent exploitation, and may interfere with legitimate agent operations); (3) Enable comprehensive filesystem audit logging to detect path traversal attempts in agent name parameters; (4) If DeerFlow is exposed to untrusted networks, place it behind authentication gateways requiring MFA for low-privilege accounts. Review existing custom-agent configurations for suspicious names containing '../' sequences or absolute paths, which may indicate prior exploitation attempts. Compensating controls reduce but do not eliminate risk-patching remains the primary mitigation.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23456