Listen to this Post
The `discover_pipeline_files()` helper in `src/ciguard/discovery.py` (introduced in v0.8.0 and used by the `scan_repo` MCP tool in v0.8.1) traverses a directory tree and follows symbolic links without any protection against paths that exit the intended scan root. Its only cycle-prevention mechanism tracks already‑visited resolved paths, but it never verifies that a resolved path still resides inside the originally requested directory.
An attacker who can plant a symlink inside a directory that a user (or an AI agent) will scan can cause the traversal logic to follow that symlink and start returning pipeline‑shaped files from arbitrary locations on the filesystem, such as ~/.aws/, ~/.config/, or even /etc/.
The vulnerability is triggered as soon as the `scan_repo` MCP tool is invoked on a directory that contains a malicious symlink. Because the tool returns not just the file paths but also (via subsequent `scan` calls) the full file content, an adversary can exfiltrate credentials, internal hostnames, deployment keys, and other secrets that commonly appear in CI/CD pipeline configuration files.
No special privileges are required beyond the ability to place a symlink (e.g., through a malicious repository clone or a crafted tarball). The only user interaction needed is that the victim (or an AI agent acting on behalf of the victim) runs the affected tool on the booby‑trapped directory.
The vulnerability is a classic confused‑deputy scenario in an MCP (Model Context Protocol) server: a trusted tool (ciguard) is tricked into performing operations outside its intended scope because it blindly trusts the input provided by the AI agent, which itself is under adversarial control.
DailyCVE form:
Platform: ciguard
Version: <=0.8.1
Vulnerability : Symlink path traversal
Severity: Medium (CVSS 4.4)
date: 2026‑04‑26
Prediction: Patch already available in v0.8.2 (2026‑04‑27)
What Undercode Say:
Analytics – The exploit relies on a missing `follow_symlinks` control and insufficient path‑canonicalization checks. The fix introduces `follow_symlinks=False` by default and filters results to those whose `.resolve()` lies under root.resolve(). Three regression tests (TestSymlinkSafety) now guard against re‑.
Reproduction (bash commands to simulate the attack):
Create a victim directory and plant a symlink to a sensitive area
mkdir -p /tmp/victim
ln -s /etc /tmp/victim/trojan
Run the vulnerable scan (pre‑fix)
python -c "
from pathlib import Path
from ciguard.discovery import discover_pipeline_files
for path in discover_pipeline_files(Path('/tmp/victim')):
print(path)
"
The output will include files under /etc (e.g., /etc/passwd, /etc/some‑pipeline‑config)
Exploit:
An adversary can embed the symlink in a repository that a developer or an AI agent will later scan. Once the `scan_repo` MCP tool is invoked, ciguard traverses the symlink and returns the contents of out‑of‑bounds pipeline‑shaped files. The attacker can then read secrets such as AWS credentials, API tokens, or SSH private keys.
Protection from this CVE:
- Upgrade to ciguard ≥ v0.8.2 immediately.
- If upgrading is not possible, avoid scanning untrusted directories with the `scan_repo` tool.
- In code using the library directly, set `follow_symlinks=False` (the new default) or manually filter results to only include paths that canonicalise under the intended root.
Impact:
- Confidentiality (High): Arbitrary pipeline‑shaped files (often containing hardcoded secrets, internal hostnames, deploy keys) can be leaked.
- Integrity (None): No data is modified.
- Availability (None): No direct denial‑of‑service.
- Scope (Changed): The vulnerable function can access resources outside its security domain (the scan root).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
