GHSA-mjrq-xg2m-qg94LowCVSS 4.2
Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run...
🔗 CVE IDs covered (1)
📋 Description
Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.
🔗 References (6)
- https://nvd.nist.gov/vuln/detail/CVE-2026-58171
- https://github.com/HKUDS/Vibe-Trading/pull/258
- https://github.com/HKUDS/Vibe-Trading/commit/f45fd85392f07b5e404e41d4fcb0ef0d6c2f87ab
- https://github.com/HKUDS/Vibe-Trading/releases/tag/v0.1.10
- https://www.vulncheck.com/advisories/vibe-trading-path-traversal-via-swarm-run-identifier
- https://github.com/advisories/GHSA-mjrq-xg2m-qg94