(Paperclip), Arbitrary File Read, (High)

Listen to this Post

How the CVE Works:

The vulnerability stems from insufficient separation between agent-controlled configuration and server filesystem access. Attackers with an Agent API key can modify their own agent’s adapterConfig via the `PATCH /api/agents/:id` endpoint. The validation schema `adapterConfig: z.record(z.unknown())` permits arbitrary fields, including instructionsFilePath. During agent execution, the server runtime in `execute.ts` directly calls `fs.readFile(instructionsFilePath)` without any path normalization, allowlist, or workspace boundary checks. Because the path originates from attacker-controlled input, an attacker can supply any filesystem path (e.g., C:\\definitely-does-not-exist-paperclip-poc.txt). The server then attempts to read that file from the host filesystem. This breaks the intended trust boundary: agents should only interact with repositories through the orchestration layer, but the flawed API allows them to force the server to read arbitrary host files.

dailycve form:

Platform: Paperclip server
Version: Not specified
Vulnerability: Arbitrary file read
Severity: High
Date: Not disclosed

Prediction: Patch within 30 days

Analytics under What Undercode Say:

Find vulnerable code pattern
grep -r "fs.readFile(instructionsFilePath)" packages/adapters/claude-local/src/server/
Check if agent API allows modifying adapterConfig
curl -X PATCH http://paperclip-server/api/agents/{id} \
-H "Authorization: Bearer $AGENT_API_KEY" \
-H "Content-Type: application/json" \
-d '{"adapterConfig":{"instructionsFilePath":"/etc/passwd"}}'
Trigger agent execution to force file read
curl -X POST http://paperclip-server/api/agents/{id}/wakeup \
-H "Authorization: Bearer $AGENT_API_KEY"
Monitor server logs for file access attempts
tail -f paperclip.log | grep "ENOENT|readFile"

Exploit:

Attacker obtains an Agent API key → PATCH /api/agents/:id with malicious adapterConfig.instructionsFilePath → POST /api/agents/:id/wakeup → server executes fs.readFile(attacker_path) → file content loaded into runtime (or error if file missing).

Protection from this CVE

Restrict configuration authority: agents cannot modify adapterConfig.instructionsFilePath. Apply path validation: reject absolute paths, “..”, and system directories. Replace fs.readFile(user_supplied_path) with readFile(workspaceSafePath). Implement guard: if (request.auth?.principal === “agent” && body?.adapterConfig?.instructionsFilePath) throw error.

Impact:

Successful exploitation allows attackers to read sensitive files (e.g., .env, SSH keys, database credentials, API tokens, CI secrets). This can lead to exfiltration of secrets, access to private repositories, theft of infrastructure credentials, and pivoting to connected services, potentially compromising the entire deployment environment.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top