CVE-2026-4092: Arbitrary File Write via Path Traversal in Google Clasp
Vulnerability ID: CVE-2026-4092
CVSS Score: 8.7
Published: 2026-03-13
Google Clasp versions prior to 3.2.0 are vulnerable to a path traversal flaw during the synchronization of remote Google Apps Script projects. This vulnerability allows an attacker to write arbitrary files to the victim's filesystem when cloning or pulling a malicious project, potentially leading to remote code execution.
TL;DR
A path traversal vulnerability in Google Clasp allows remote attackers to write arbitrary files to a user's system via crafted filenames in Google Apps Script projects, potentially leading to remote code execution.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- CVSS v4.0: 8.7 (High)
- Attack Vector: Network / Requires User Interaction
- Impact: Arbitrary File Write / RCE
- Exploit Status: Proof of Concept (PoC) Available
- KEV Listed: No
Affected Systems
- Google Clasp (@google/clasp)
-
@google/clasp: < 3.2.0 (Fixed in:
3.2.0)
Code Analysis
Commit: ba6bd66
Fix path traversal vulnerability in fetchRemote
Exploit Details
- GitHub: Proof of concept details included in the original fix Pull Request
Mitigation Strategies
- Upgrade to patched version of @google/clasp.
- Audit remote Google Apps Script projects prior to cloning.
- Execute development CLI tools within isolated containers or low-privilege accounts.
Remediation Steps:
- Run
npm uninstall -g @google/claspto remove the vulnerable version. - Run
npm install -g @google/clasp@latestto install the patched version (3.2.0+). - Verify the installed version by running
clasp --version.
References
Read the full report for CVE-2026-4092 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)