Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install <bundle> on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a legacy --format apm bundle. On Python versions earlier than 3.12, that probe extracts untrusted tar members with raw tar.extractall() without rejecting Windows absolute member names such as D:/.... This vulnerability is fixed in 0.13.0.
AnalysisAI
Archive extraction boundary failure in Microsoft APM's legacy-bundle probe allows local attackers to overwrite arbitrary files on Windows systems running Python 3.10 or 3.11. When users run 'apm install' on a malicious .tar.gz file, untrusted tar members bypass path validation, enabling absolute path writes (e.g., D:/...) that compromise system integrity. Fixed in version 0.13.0. No active exploitation confirmed at time of analysis, but the local attack vector with user interaction required (CVSS AV:L/UI:R) limits real-world risk to social engineering scenarios targeting AI agent developers on Windows platforms.
Technical ContextAI
Microsoft APM is a community-driven dependency manager for AI agents. The vulnerability stems from CWE-22 (Path Traversal) in the legacy-bundle installation probe mechanism. When processing .tar.gz archives not recognized as standard plugin-format bundles, APM attempts to extract them as legacy '--format apm' bundles. On Python versions 3.10 and 3.11 (but not 3.12+, which includes enhanced path validation), the code uses raw tar.extractall() without sanitizing Windows absolute paths. The Windows filesystem allows absolute drive-prefixed paths like 'D:/arbitrary/location' in tar member names, which bypass Unix-style '../' traversal checks. This Windows-specific weakness in archive handling predates Python 3.12's security improvements to the tarfile module. The affected CPE (cpe:2.3:a:microsoft:apm:*:*:*:*:*:*:*:*) indicates all versions prior to 0.13.0 on Windows with Python 3.10/3.11 are vulnerable.
RemediationAI
Upgrade Microsoft APM to version 0.13.0 or later, which implements proper path validation for tar member extraction in the legacy-bundle probe. Vendor advisory available at https://github.com/microsoft/apm/security/advisories/GHSA-mq5j-pw29-jcv3. For environments unable to immediately upgrade, implement compensating controls: (1) Upgrade Python runtime to 3.12 or later, which provides tarfile module hardening that blocks absolute path traversal independent of APM version - this is the strongest mitigation but may require application compatibility testing; (2) Restrict 'apm install' operations to trusted bundle sources only through organizational policy and code review processes - reduces attack surface but relies on human vigilance; (3) Run APM operations in sandboxed/containerized environments with minimal filesystem permissions to limit blast radius of arbitrary file writes - adds operational complexity and may break legitimate workflows requiring system-wide package installation. Note that workarounds do not eliminate the vulnerability, only reduce exploitation likelihood or impact.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30559
GHSA-mq5j-pw29-jcv3