Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Read-only file disclosure gives C:H/I:N/A:N; low complexity, but exploitation depends on a victim loading an attacker-supplied prompt, so UI:R rather than NVD's UI:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Prompty is a markdown file format (.prompty) for LLM prompts. Prior to 2.0.0-beta.2, Prompty loaders expanded ${file:...} references in .prompty frontmatter without enforcing that resolved paths stayed within the prompt directory or allowed roots, allowing an attacker-controlled prompt file to read local files through absolute paths, .. traversal, or symlink escapes. This issue is fixed in versions 2.0.0-beta.2.
AnalysisAI
{file:...} expansion resolved paths without confining them to the prompt directory or allowed roots, so absolute paths, ../ traversal, or symlinks could exfiltrate secrets, config, or credentials into the loaded prompt's fields. There is no public exploit identified at time of analysis and it is not in CISA KEV; NVD scores it 7.5 (High), reflecting confidentiality-only impact.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target host application load an attacker-controlled .prompty file whose frontmatter includes a ${file:...} reference (in a field such as description) pointing outside the prompt directory via an absolute path, ../ traversal, or a symlink. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderately consistent but require nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits or plants a malicious .prompty file whose frontmatter contains description: "${file:../../../../etc/passwd}" (or an absolute path, or a symlink pointing outside the prompt directory). When the victim application loads the prompt via the vulnerable Prompty loader, the loader reads the targeted file and inlines its contents into the resolved prompt fields, disclosing it downstream (e.g. … |
| Remediation | Vendor-released patch: upgrade Prompty to 2.0.0-beta.2 or later, which scopes ${file:...} references to the containing .prompty file's directory by default and adds PromptyLoadOptions.AllowedFileRoots for hosts to explicitly opt into additional read roots (see GHSA-wxhm-2mq7-7697 and commit 88ac9948d7d37995edbb2f6d36913436626c39e1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Restrict file system permissions on all directories containing credentials or configuration using the principle of least privilege; audit user and process access to the affected system and revoke unnecessary permissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44940