Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved to, with no validation of location, symlink target, file size, or file format. This vulnerability is fixed in 0.x.y-security-1.
AnalysisAI
Arbitrary file read in JunoClaw's MCP upload_wasm tool allows local attackers to exfiltrate any file accessible to the agent process by providing crafted filesystem paths. The vulnerability affects all JunoClaw versions prior to 0.x.y-security-1 when an AI agent is induced to accept a malicious path parameter, enabling read access to sensitive files including configuration secrets, private keys, or source code. No active exploitation confirmed via CISA KEV, but the CVSS 8.5 HIGH score reflects significant confidentiality and integrity impact with changed scope. Fixed version 0.x.y-security-1 introduces comprehensive path validation including directory containment checks, symlink resolution guards, file size limits, and WebAssembly magic number verification.
Technical ContextAI
JunoClaw is an agentic AI platform built on Juno Network that exposes an MCP (Model Context Protocol) tool interface allowing AI agents to upload WebAssembly modules. The vulnerability stems from CWE-20 (Improper Input Validation) in the upload_wasm tool's path handling logic. Prior to the security patch, the tool accepted arbitrary filesystem paths from the agent without validating: (1) directory containment within the designated WASM_ROOT, (2) symlink resolution targets, (3) file size constraints, or (4) WebAssembly format magic numbers. The commit diff shows the introduction of a comprehensive path-guard module with 238 lines of test coverage, implementing defenses against path traversal via relative paths (../) or absolute paths, symlink-based escapes from the wasm directory, oversized file uploads (>8MB cap inferred from test fixture creating 9MB file), and non-WASM file uploads via magic byte validation (0x00 0x61 0x73 0x6d WebAssembly header). The CPE identifier cpe:2.3:a:dragonmonk111:junoclaw:*:*:*:*:*:*:*:* indicates this is a software library/application vulnerability affecting the DragonMonk111 vendor's JunoClaw product across all unpatched versions.
RemediationAI
Upgrade immediately to JunoClaw version 0.x.y-security-1 or later, available at https://github.com/Dragonmonk111/junoclaw/releases/tag/v0.x.y-security-1. The patch commit a7886cd (https://github.com/Dragonmonk111/junoclaw/commit/a7886cd) introduces a comprehensive path-guard validation module that enforces: directory containment within WASM_ROOT via resolved absolute path comparison, symlink target validation to prevent escapes, 8MB file size limit to block exfiltration of large datasets, and WebAssembly magic number verification (0x00 0x61 0x73 0x6d header) to prevent upload of arbitrary file types. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable the upload_wasm MCP tool entirely via configuration - eliminates attack surface but breaks legitimate WebAssembly module upload workflows. (2) Run JunoClaw agents in a chroot jail or container with read-only mounts for all directories except a dedicated wasm upload directory - limits blast radius but requires container orchestration expertise and may break integrations expecting filesystem access. (3) Implement mandatory access control (AppArmor/SELinux) policies restricting agent process reads to /var/lib/junoclaw/wasm and denying access to /etc, /root, /home - effective containment but operationally complex and platform-specific. (4) Deploy file integrity monitoring (FIM) on sensitive paths to detect unauthorized reads as a detection control - provides forensic visibility but does not prevent initial exfiltration. None of these workarounds match the security posture of the vendor patch, which addresses the root cause via input validation. Verify patch application by confirming the path-guard module exists in mcp/src/utils/path-guard.ts and version string matches v0.x.y-security-1 in package metadata.
JunoClaw agentic AI platform exposes BIP-39 wallet mnemonics in plaintext through LLM tool-call parameters, leaking cryp
Command injection in JunoClaw's plugin-shell allowed adversarial argument construction to bypass the substring-based blo
Command injection in JunoClaw agentic AI platform versions prior to 0.x.y-security-1 allows local attackers to execute a
Server-Side Request Forgery in JunoClaw's WAVS bridge allows remote attackers to exploit the computeDataVerify function,
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29538