DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-R466-RXW4-3J9J: GHSA-r466-rxw4-3j9j: Path Traversal and Arbitrary File Write in Evolver fetch Command

#security #cve #cybersecurity #ghsa

GHSA-r466-rxw4-3j9j: Path Traversal and Arbitrary File Write in Evolver fetch Command

Vulnerability ID: GHSA-R466-RXW4-3J9J
CVSS Score: 8.1
Published: 2026-04-22

The @evomap/evolver npm package prior to version 1.69.3 contains a critical path traversal vulnerability in its fetch command. Unsanitized input passed to the --out command-line flag allows an attacker to escape the intended directory structure and write arbitrary files to any location writable by the Node.js process.

TL;DR

A path traversal flaw in Evolver allows attackers to write arbitrary files to the filesystem by manipulating the --out flag in the fetch command. Upgrading to version 1.69.3 patches the vulnerability.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22, CWE-73
  • Attack Vector: Network / Command Line Manipulation
  • CVSS Score: 8.1 (High)
  • Impact: Arbitrary File Write, Potential RCE
  • Exploit Status: PoC Available
  • Patched Version: 1.69.3

Affected Systems

  • @evomap/evolver (npm package)
  • @evomap/evolver: < 1.69.3 (Fixed in: 1.69.3)

Exploit Details

  • Advisory Details: Proof of Concept demonstrating arbitrary directory creation and file write.

Mitigation Strategies

  • Upgrade the @evomap/evolver package to version 1.69.3 or later.
  • Implement command-line argument validation in execution wrappers to block ../ sequences.
  • Enforce least privilege by running the Node.js application under a restricted user account.
  • Deploy the application within a containerized or sandboxed filesystem environment.

Remediation Steps:

  1. Identify all projects and pipelines utilizing @evomap/evolver.
  2. Update package.json dependencies to require >=1.69.3.
  3. Run npm install or yarn install to update the lockfiles.
  4. Audit the filesystem for unauthorized modifications if the vulnerability was previously exposed to untrusted input.

References

Read the full report for GHSA-R466-RXW4-3J9J on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)