GHSA-G9C2-GF25-3X67

Vulnerability from github – Published: 2026-04-01 00:25 – Updated: 2026-04-01 00:25
VLAI?
Summary
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
Details

Summary

@tinacms/graphql uses string-based path containment checks in FilesystemBridge:

  • path.resolve(path.join(baseDir, filepath))
  • startsWith(resolvedBase + path.sep)

That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it.

As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root.

Details

The current bridge validation is:

function assertWithinBase(filepath: string, baseDir: string): string {
  const resolvedBase = path.resolve(baseDir);
  const resolved = path.resolve(path.join(baseDir, filepath));
  if (
    resolved !== resolvedBase &&
    !resolved.startsWith(resolvedBase + path.sep)
  ) {
    throw new Error(
      `Path traversal detected: "${filepath}" escapes the base directory`
    );
  }
  return resolved;
}

But the bridge then performs real filesystem I/O on the resulting path:

public async get(filepath: string) {
  const resolved = assertWithinBase(filepath, this.outputPath);
  return (await fs.readFile(resolved)).toString();
}

public async put(filepath: string, data: string, basePathOverride?: string) {
  const basePath = basePathOverride || this.outputPath;
  const resolved = assertWithinBase(filepath, basePath);
  await fs.outputFile(resolved, data);
}

public async delete(filepath: string) {
  const resolved = assertWithinBase(filepath, this.outputPath);
  await fs.remove(resolved);
}

This is a classic realpath gap:

  1. validation checks the lexical path string
  2. the filesystem follows the link target during I/O
  3. the actual target can be outside the intended root

This is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled relativePath, but that validation is also string-based:

const realPath = path.join(collection.path, relativePath);
this.validatePath(realPath, collection, relativePath);

Database write and delete operations then call the bridge:

await this.bridge.put(normalizedPath, stringifiedFile);
...
await this.bridge.delete(normalizedPath);

Local Reproduction

This was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.

Test layout:

  • content root: D:\bugcrowd\tinacms\temp\junction-repro4
  • allowed collection path: content/posts
  • junction inside collection: content/posts/pivot -> D:\bugcrowd\tinacms\temp\junction-repro4\outside
  • file outside content root: outside\secret.txt

Tina's current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.

Observed result:

{
  "graphqlBridge": {
    "collectionPath": "content/posts",
    "requestedRelativePath": "pivot/owned.md",
    "validatedRealPath": "content\\posts\\pivot\\owned.md",
    "bridgeResolvedPath": "D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\content\\posts\\pivot\\owned.md",
    "bridgeRead": "TOP_SECRET_FROM_OUTSIDE\\r\\n",
    "outsideGraphqlWriteExists": true,
    "outsideGraphqlWriteContents": "GRAPHQL_ESCAPE"
  }
}

That is the critical point:

  • the path was accepted as inside content/posts
  • the bridge read outside\secret.txt
  • the bridge wrote outside\owned.md

So the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.

Impact

  • Arbitrary file read/write outside the configured content root
  • Potential delete outside the configured content root via the same assertWithinBase() gap in delete()
  • Breaks the assumptions of the recent path-traversal fixes because only lexical traversal is blocked
  • Practical attack chains where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations

The exact network exploitability depends on how the application exposes Tina's GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.

Recommended Fix

The containment check needs to compare canonical filesystem paths, not just string-normalized paths.

For example:

  1. resolve the base with fs.realpath()
  2. resolve the candidate path's parent with fs.realpath()
  3. reject any request whose real target path escapes the real base
  4. for write operations, carefully canonicalize the nearest existing parent directory before creating the final file

In short: use realpath-aware containment checks for every filesystem sink, not path.resolve(...).startsWith(...) alone.

Resources

  • packages/@tinacms/graphql/src/database/bridge/filesystem.ts
  • packages/@tinacms/graphql/src/database/index.ts
  • packages/@tinacms/graphql/src/resolver/index.ts
Severity ?
7.1 (High)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@tinacms/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T00:25:22Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`@tinacms/graphql` uses string-based path containment checks in `FilesystemBridge`:\n\n- `path.resolve(path.join(baseDir, filepath))`\n- `startsWith(resolvedBase + path.sep)`\n\nThat blocks plain `../` traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like `content/posts/pivot/owned.md` is still considered \"inside\" the base even though the real filesystem target can be outside it.\n\nAs a result, `FilesystemBridge.get()`, `put()`, `delete()`, and `glob()` can operate on files outside the intended root.\n\n## Details\n\nThe current bridge validation is:\n\n```ts\nfunction assertWithinBase(filepath: string, baseDir: string): string {\n  const resolvedBase = path.resolve(baseDir);\n  const resolved = path.resolve(path.join(baseDir, filepath));\n  if (\n    resolved !== resolvedBase \u0026\u0026\n    !resolved.startsWith(resolvedBase + path.sep)\n  ) {\n    throw new Error(\n      `Path traversal detected: \"${filepath}\" escapes the base directory`\n    );\n  }\n  return resolved;\n}\n```\n\nBut the bridge then performs real filesystem I/O on the resulting path:\n\n```ts\npublic async get(filepath: string) {\n  const resolved = assertWithinBase(filepath, this.outputPath);\n  return (await fs.readFile(resolved)).toString();\n}\n\npublic async put(filepath: string, data: string, basePathOverride?: string) {\n  const basePath = basePathOverride || this.outputPath;\n  const resolved = assertWithinBase(filepath, basePath);\n  await fs.outputFile(resolved, data);\n}\n\npublic async delete(filepath: string) {\n  const resolved = assertWithinBase(filepath, this.outputPath);\n  await fs.remove(resolved);\n}\n```\n\nThis is a classic realpath gap:\n\n1. validation checks the lexical path string\n2. the filesystem follows the link target during I/O\n3. the actual target can be outside the intended root\n\nThis is reachable from Tina\u0027s GraphQL/local database flow. The resolver builds a validated path from user-controlled `relativePath`, but that validation is also string-based:\n\n```ts\nconst realPath = path.join(collection.path, relativePath);\nthis.validatePath(realPath, collection, relativePath);\n```\n\nDatabase write and delete operations then call the bridge:\n\n```ts\nawait this.bridge.put(normalizedPath, stringifiedFile);\n...\nawait this.bridge.delete(normalizedPath);\n```\n\n## Local Reproduction\n\nThis was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.\n\nTest layout:\n\n- content root: `D:\\bugcrowd\\tinacms\\temp\\junction-repro4`\n- allowed collection path: `content/posts`\n- junction inside collection: `content/posts/pivot -\u003e D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\outside`\n- file outside content root: `outside\\secret.txt`\n\nTina\u0027s current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.\n\nObserved result:\n\n```json\n{\n  \"graphqlBridge\": {\n    \"collectionPath\": \"content/posts\",\n    \"requestedRelativePath\": \"pivot/owned.md\",\n    \"validatedRealPath\": \"content\\\\posts\\\\pivot\\\\owned.md\",\n    \"bridgeResolvedPath\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\content\\\\posts\\\\pivot\\\\owned.md\",\n    \"bridgeRead\": \"TOP_SECRET_FROM_OUTSIDE\\\\r\\\\n\",\n    \"outsideGraphqlWriteExists\": true,\n    \"outsideGraphqlWriteContents\": \"GRAPHQL_ESCAPE\"\n  }\n}\n```\n\nThat is the critical point:\n\n- the path was accepted as inside `content/posts`\n- the bridge read `outside\\secret.txt`\n- the bridge wrote `outside\\owned.md`\n\nSo the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.\n\n## Impact\n\n- **Arbitrary file read/write outside the configured content root**\n- **Potential delete outside the configured content root** via the same `assertWithinBase()` gap in `delete()`\n- **Breaks the assumptions of the recent path-traversal fixes** because only lexical traversal is blocked\n- **Practical attack chains** where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations\n\nThe exact network exploitability depends on how the application exposes Tina\u0027s GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.\n\n## Recommended Fix\n\nThe containment check needs to compare canonical filesystem paths, not just string-normalized paths.\n\nFor example:\n\n1. resolve the base with `fs.realpath()`\n2. resolve the candidate path\u0027s parent with `fs.realpath()`\n3. reject any request whose real target path escapes the real base\n4. for write operations, carefully canonicalize the nearest existing parent directory before creating the final file\n\nIn short: use realpath-aware containment checks for every filesystem sink, not `path.resolve(...).startsWith(...)` alone.\n\n## Resources\n\n- `packages/@tinacms/graphql/src/database/bridge/filesystem.ts`\n- `packages/@tinacms/graphql/src/database/index.ts`\n- `packages/@tinacms/graphql/src/resolver/index.ts`",
  "id": "GHSA-g9c2-gf25-3x67",
  "modified": "2026-04-01T00:25:22Z",
  "published": "2026-04-01T00:25:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tinacms/tinacms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@tinacms/graphql\u0027s `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.