Deerflow
Monthly
Sandbox escape in ByteDance Deer-Flow (pre-commit 92c7a20) enables remote attackers to execute arbitrary commands on the host system by exploiting incomplete shell semantics validation in bash tool handling. Attackers bypass regex-based input filters using directory traversal and relative paths to break sandbox isolation, read/modify host files, and invoke subprocesses with shell interpretation. Authentication requirements not confirmed from available data. No public exploit identified at time of analysis, though detailed technical advisory exists.
ByteDance Deer-Flow artifacts API fails to sanitize user-supplied HTML and script content before storage and rendering, enabling stored cross-site scripting (XSS) attacks that execute arbitrary scripts in the browser context of users viewing artifacts. All versions prior to commit 5dbb362 are affected; attackers can compromise sessions, steal credentials, and execute arbitrary JavaScript without authentication. A patch is available from the vendor via GitHub commit 5dbb3623b2f0e490c8bb3cd81b1e3b1b12eae1a6, and no public exploit code or active exploitation has been identified at time of analysis.
Sandbox escape in ByteDance Deer-Flow (pre-commit 92c7a20) enables remote attackers to execute arbitrary commands on the host system by exploiting incomplete shell semantics validation in bash tool handling. Attackers bypass regex-based input filters using directory traversal and relative paths to break sandbox isolation, read/modify host files, and invoke subprocesses with shell interpretation. Authentication requirements not confirmed from available data. No public exploit identified at time of analysis, though detailed technical advisory exists.
ByteDance Deer-Flow artifacts API fails to sanitize user-supplied HTML and script content before storage and rendering, enabling stored cross-site scripting (XSS) attacks that execute arbitrary scripts in the browser context of users viewing artifacts. All versions prior to commit 5dbb362 are affected; attackers can compromise sessions, steal credentials, and execute arbitrary JavaScript without authentication. A patch is available from the vendor via GitHub commit 5dbb3623b2f0e490c8bb3cd81b1e3b1b12eae1a6, and no public exploit code or active exploitation has been identified at time of analysis.