Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install.
In the verified primary proof of concept, a malicious plugin sets plugin.json.commands to an external markdown file. A single apm install copies that outside file into .apm/prompts/ and then auto-integrates it into .github/prompts/secret.prompt.md in the victim project. This is a local supply-chain trust-boundary violation with direct confidentiality and integrity impact.
Reviewed version and commit:
apm-cliversion0.8.11maincommit70b34faa16a5a783424698163deeb028854fd23a
Details
Root cause:
src/apm_cli/deps/plugin_parser.py:336-348_resolve_sources()joins manifest-controlledagents,skills,commands, and directory-formhookspaths withplugin_path- it checks only
exists()andis_symlink() - it does not resolve the candidate and verify containment inside the plugin root
src/apm_cli/deps/plugin_parser.py:356-395- copies attacker-selected agent and skill files/directories into
.apm/ src/apm_cli/deps/plugin_parser.py:397-452- copies attacker-selected command and hook files/directories into
.apm/ src/apm_cli/deps/plugin_parser.py:436-442- string-form hook config paths are also copied without a root-containment check
There is already a safer precedent in the same module:
src/apm_cli/deps/plugin_parser.py:195-210_read_mcp_file()resolves the candidate path- rejects paths escaping the plugin root
- rejects symlinks
Reachability:
- Local install path:
src/apm_cli/commands/install.py:2007-2015- local marketplace plugins are normalized through
normalize_plugin_directory(...) - Remote install path:
src/apm_cli/deps/github_downloader.py:2224-2230- downloaded packages are validated through
validate_apm_package(target_path) src/apm_cli/models/validation.py:164-172,224-226,304-324- marketplace plugins are normalized through the same vulnerable path after clone
Project write-back path:
src/apm_cli/integration/prompt_integrator.py:38-56- reads
.apm/prompts/*.prompt.md src/apm_cli/integration/prompt_integrator.py:170-189- writes prompt files into
.github/prompts/ src/apm_cli/commands/install.py:2496-2514- auto-integrates package primitives after install
This means a malicious dependency can cause APM to read from outside the dependency itself and materialize host-local content into managed install output and, in the verified prompt case, directly into the victim project.
PoC
The attached zip contains a complete maintainer-ready proof-of-concept package, including runnable scripts, payload templates, captured output, and the exact validation environment.
Primary end-to-end apm install reproduction:
- Install APM from the reviewed source tree (
apm-cli 0.8.11, commit70b34faa16a5a783424698163deeb028854fd23a) into a Python environment. - Create an external file outside the malicious plugin directory, for example:
victim\secret.mdwith content:
# STOLEN VIA APM INSTALL- Create a malicious plugin with this minimal
plugin.json:
{
"name": "evil-plugin",
"commands": "D:\\absolute\\path\\to\\victim\\secret.md"
}- Create a minimal
apm.ymlthat references the malicious plugin. - Run:
apm install- Observe that APM completes successfully and writes:
.github/prompts/secret.prompt.md- Observe that the resulting prompt file contains the external host file content:
# STOLEN VIA APM INSTALLVerified console output from the included PoC:
[>] Installing dependencies from apm.yml...
[+] ./evil-plugin (local)
|-- 1 prompts integrated -> .github/prompts/
[*] Installed 1 APM dependency.
PoC succeeded.
Integrated into project: ...\.github\prompts\secret.prompt.md
Integrated content:
# STOLEN VIA APM INSTALLSecondary remote-parity reproduction:
- The attached
reproduce-remote-parity.pyexercisesGitHubPackageDownloader.download_package(...)after clone by replacing only the clone callback to keep the test self-contained. - It confirms the same unsafe normalization path copies an outside host file into:
<download-target>/.apm/prompts/secret.prompt.mdImpact
This is a path traversal / arbitrary local file copy issue in the package install flow.
Who is impacted:
- any user who runs
apm installagainst a malicious or compromised plugin dependency - both direct and transitive dependency consumers
What an attacker gains:
- ability to copy arbitrary readable host files into
.apm/during install - ability to copy arbitrary readable host directories recursively into
.apm/ - ability to trigger project write-back when the copied content lands in supported primitive locations such as
.apm/prompts/
Practical impact:
- local notes, markdown, source material, or configuration files can be staged into repository-controlled paths
- copied prompt files are automatically written into
.github/prompts/, increasing the chance that sensitive or attacker-selected content is committed, synced, or consumed by other tooling - the issue breaks the expected trust boundary that a dependency install should copy only content belonging to the dependency itself
Mitigation
Recommended fix:
- Resolve every manifest-controlled component path against
plugin_path.resolve(). - Reject absolute or relative paths that escape the plugin root.
- Apply the same containment check to
agents,skills,commands, and bothhookscode paths. - Reject symlinks before copying.
- Add regression tests for:
- absolute file path in
commands - absolute directory path in
commands ../traversal inagents../traversal inskills../traversal inhooks- confirmation that only in-root files remain accepted
Attachment
AnalysisAI
Path traversal in Microsoft APM CLI 0.8.11 and earlier allows malicious plugins to copy arbitrary readable host files into managed project directories during installation. The plugin_parser.py module fails to validate that component paths in plugin.json manifest fields (agents, skills, commands, hooks) remain within the plugin root, enabling attackers to use absolute paths or ../ traversal sequences to exfiltrate local files. Verified proof-of-concept demonstrates a malicious plugin copying external markdown files into .github/prompts/ through the auto-integration pipeline. Exploitation requires user interaction (installing a malicious plugin), but no authentication is required once the user initiates installation. CVSS 7.1 (High) reflects significant confidentiality and integrity impact in a local supply-chain attack scenario. Vendor-released patch available in apm-cli 0.8.12 per GitHub advisory GHSA-xhrw-5qxx-jpwr. No active exploitation (CISA KEV) confirmed, but publicly available exploit code exists with complete proof-of-concept including runnable scripts.
Technical ContextAI
Microsoft APM (AI Plugin Manager) CLI is a Python-based dependency management tool for AI agent components. The vulnerability exists in the plugin normalization workflow where the plugin_parser.py module processes plugin.json manifests during installation. The _resolve_sources() method at lines 336-348 joins attacker-controlled path strings from manifest fields (agents, skills, commands, hooks) with the plugin_path base directory using path concatenation, but only validates file existence and symlink status without performing canonical path resolution or containment checks. This violates CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) principles. The codebase already implements a secure pattern in _read_mcp_file() at lines 195-210 that resolves candidate paths and rejects escapes, but this pattern was not applied consistently to all manifest-controlled fields. The vulnerability spans both local plugin installation (install.py:2007-2015) and remote package downloads (github_downloader.py:2224-2230 through validation.py), with copied files automatically integrated into project directories by prompt_integrator.py. The affected package identifier is pkg:pip/apm-cli with CPE-style identification confirming Python pip distribution.
RemediationAI
Upgrade immediately to apm-cli version 0.8.12 or later, which addresses the path traversal vulnerability per vendor advisory GHSA-xhrw-5qxx-jpwr (https://github.com/microsoft/apm/security/advisories/GHSA-xhrw-5qxx-jpwr and https://github.com/advisories/GHSA-xhrw-5qxx-jpwr). Install the patched version using 'pip install --upgrade apm-cli==0.8.12' or later. If immediate upgrade is not feasible, implement these compensating controls with noted trade-offs: (1) Audit all plugin dependencies in apm.yml and remove any third-party or untrusted plugins, limiting installs to Microsoft-official or internally-vetted plugins only (reduces functionality and blocks community plugins). (2) Run 'apm install' in isolated containerized or virtual machine environments where no sensitive host files are readable, then manually copy only verified .apm/ output to production environments (adds operational overhead and delays). (3) Implement file system permissions to restrict read access from the user account running APM CLI to only project-specific directories, preventing access to sensitive configuration files elsewhere on the system (may break legitimate workflows requiring broader file access). (4) Review .apm/ and .github/prompts/ directories after every plugin installation for unexpected files and diff against known-good baselines before committing to version control (manual effort required, does not prevent initial exfiltration). After patching, verify the fix by attempting to install a test plugin with absolute or ../ paths in plugin.json manifest fields and confirming that installation fails with a containment violation error.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30562
GHSA-xhrw-5qxx-jpwr