Prompty
Monthly
{file:...} expansion resolved paths without confining them to the prompt directory or allowed roots, so absolute paths, ../ traversal, or symlinks could exfiltrate secrets, config, or credentials into the loaded prompt's fields. There is no public exploit identified at time of analysis and it is not in CISA KEV; NVD scores it 7.5 (High), reflecting confidentiality-only impact.
Arbitrary JavaScript execution in Microsoft's @prompty/core TypeScript loader (2.0.0-alpha.1 through 2.0.0-beta.2) allows an attacker who supplies a crafted .prompty file to run code during prompt loading. The loader passed .prompty markdown to gray-matter without disabling its executable 'js'/'javascript' frontmatter engines, so a '---js' frontmatter block is evaluated as Node.js at parse time. Exploitation requires the victim's application to load the malicious file (UI:P); no public exploit is identified at time of analysis and it is not on CISA KEV, but the fix commit ships a working proof-of-concept test.
{file:...} expansion resolved paths without confining them to the prompt directory or allowed roots, so absolute paths, ../ traversal, or symlinks could exfiltrate secrets, config, or credentials into the loaded prompt's fields. There is no public exploit identified at time of analysis and it is not in CISA KEV; NVD scores it 7.5 (High), reflecting confidentiality-only impact.
Arbitrary JavaScript execution in Microsoft's @prompty/core TypeScript loader (2.0.0-alpha.1 through 2.0.0-beta.2) allows an attacker who supplies a crafted .prompty file to run code during prompt loading. The loader passed .prompty markdown to gray-matter without disabling its executable 'js'/'javascript' frontmatter engines, so a '---js' frontmatter block is evaluated as Node.js at parse time. Exploitation requires the victim's application to load the malicious file (UI:P); no public exploit is identified at time of analysis and it is not on CISA KEV, but the fix commit ships a working proof-of-concept test.