GHSA-PXHG-7XR2-W7XG

Vulnerability from github – Published: 2026-05-05 18:57 – Updated: 2026-05-05 18:57
VLAI?
Summary
PPTAgent: Arbitrary File Write via `save_generated_slides`
Details

Summary

This vulnerability has been fixed in https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00.

The save_generated_slides MCP tool accepts a pptx_path argument and writes the generated PPTX file to that path without any workspace restriction or path validation:

# pptagent/mcp_server.py:288-300
async def save_generated_slides(pptx_path: str):
    """Save the generated slides to a PowerPoint file.

    Args:
        pptx_path: The path to save the PowerPoint file
    """
    pptx = Path(pptx_path)
    assert len(self.slides), (
        "No slides generated, please call `generate_slide` first"
    )
    pptx.parent.mkdir(parents=True, exist_ok=True)   # ← creates arbitrary directories
    self.empty_prs.save(pptx_path)                    # ← writes to arbitrary path

The call to pptx.parent.mkdir(parents=True, exist_ok=True) creates any intermediate directories, and self.empty_prs.save(pptx_path) writes a valid PPTX binary (ZIP archive) to the specified path. No is_relative_to(workspace) check is performed — contrast with download_file in deeppresenter/tools/search.py:290, which correctly enforces workspace confinement.

The server changes directory to WORKSPACE (if set) on startup, so relative paths land in the workspace. Absolute paths, however, reach any filesystem location accessible to the server process.

Impact

The concrete attack scenarios include

  1. Cron persistence (root-running server): pptx_path = "/etc/cron.d/backdoor" → writes a PPTX ZIP to a path the cron daemon reads; if the ZIP header is misinterpreted, this may corrupt cron or be exploitable depending on parser behaviour.
  2. Dot-file overwrite: pptx_path = "/home/user/.bashrc" → overwrites shell init file with a binary blob containing arbitrary content in the PPTX's embedded comments/custom properties.
  3. Directory traversal from workspace: pptx_path = "../../.ssh/known_hosts.pptx" → escapes workspace entirely.
  4. Denial of service: pptx_path = "/dev/sda" writes to a raw device.

Remediation

The potential fix is something like:

async def save_generated_slides(pptx_path: str):
    workspace = Path(os.getcwd()).resolve()
    target = Path(pptx_path).resolve()
    if not target.is_relative_to(workspace):
        raise ValueError(f"Access denied: path outside workspace: {target}")
    target.parent.mkdir(parents=True, exist_ok=True)
    self.empty_prs.save(str(target))
Severity ?
4.6 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pptagent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.36"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42080"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T18:57:31Z",
    "nvd_published_at": "2026-05-04T17:16:25Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n\u003e This vulnerability has been fixed in https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00.\n\nThe `save_generated_slides` MCP tool accepts a pptx_path argument and writes the generated PPTX file to that path without any workspace restriction or path validation:\n\n```python\n# pptagent/mcp_server.py:288-300\nasync def save_generated_slides(pptx_path: str):\n    \"\"\"Save the generated slides to a PowerPoint file.\n\n    Args:\n        pptx_path: The path to save the PowerPoint file\n    \"\"\"\n    pptx = Path(pptx_path)\n    assert len(self.slides), (\n        \"No slides generated, please call `generate_slide` first\"\n    )\n    pptx.parent.mkdir(parents=True, exist_ok=True)   # \u2190 creates arbitrary directories\n    self.empty_prs.save(pptx_path)                    # \u2190 writes to arbitrary path\n```\n\nThe call to `pptx.parent.mkdir(parents=True, exist_ok=True)` creates any intermediate directories, and `self.empty_prs.save(pptx_path)` writes a valid PPTX binary (ZIP archive) to the specified path. No is_relative_to(workspace) check is performed \u2014 contrast with download_file in deeppresenter/tools/search.py:290, which correctly enforces workspace confinement.\n\nThe server changes directory to WORKSPACE (if set) on startup, so relative paths land in the workspace. Absolute paths, however, reach any filesystem location accessible to the server process.\n\n## Impact\n\nThe concrete attack scenarios include\n\n1. Cron persistence (root-running server): `pptx_path = \"/etc/cron.d/backdoor\"` \u2192 writes a PPTX ZIP to a path the cron daemon reads; if the ZIP header is misinterpreted, this may corrupt cron or be exploitable depending on parser behaviour.\n2. Dot-file overwrite: `pptx_path = \"/home/user/.bashrc\"` \u2192 overwrites shell init file with a binary blob containing arbitrary content in the PPTX\u0027s embedded comments/custom properties.\n3. Directory traversal from workspace: `pptx_path = \"../../.ssh/known_hosts.pptx\"` \u2192 escapes workspace entirely.\n4. Denial of service: `pptx_path = \"/dev/sda\"` writes to a raw device.\n\n## Remediation\n\nThe potential fix is something like:\n\n```python\nasync def save_generated_slides(pptx_path: str):\n    workspace = Path(os.getcwd()).resolve()\n    target = Path(pptx_path).resolve()\n    if not target.is_relative_to(workspace):\n        raise ValueError(f\"Access denied: path outside workspace: {target}\")\n    target.parent.mkdir(parents=True, exist_ok=True)\n    self.empty_prs.save(str(target))\n```",
  "id": "GHSA-pxhg-7xr2-w7xg",
  "modified": "2026-05-05T18:57:31Z",
  "published": "2026-05-05T18:57:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-pxhg-7xr2-w7xg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42080"
    },
    {
      "type": "WEB",
      "url": "https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/icip-cas/PPTAgent"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PPTAgent: Arbitrary File Write via `save_generated_slides`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.