GHSA-WXHM-2MQ7-7697

Vulnerability from github – Published: 2026-07-17 19:46 – Updated: 2026-07-17 19:46
VLAI
Summary
Prompty: Arbitrary file read via file reference expansion
Details

Summary

Prompty loaders expanded ${file:...} references in .prompty frontmatter without enforcing that the resolved path stayed within an authorized directory. An attacker-controlled prompt file could use path traversal or an absolute path to cause the host application to read files accessible to the process.

Affected packages

  • PyPI prompty versions <= 2.0.0b1; fixed in 2.0.0b2
  • npm @prompty/core versions <= 2.0.0-beta.1; fixed in 2.0.0-beta.2
  • crates.io prompty versions <= 2.0.0-beta.1; fixed in 2.0.0-beta.2
  • NuGet Prompty.Core versions <= 2.0.0-beta.1; fixed in 2.0.0-beta.2

Impact

Applications that load untrusted .prompty files, user-provided prompt paths, or prompt bundles from less-trusted locations could disclose local files available to the application process when expanded values are logged, returned, or otherwise exposed.

Remediation

Upgrade to the fixed runtime version for your ecosystem. The fix makes file references secure by default: ${file:...} may only resolve within the directory tree containing the .prompty file. Host applications that need shared prompt assets outside that tree must explicitly provide allowed file roots through runtime load options. Absolute paths, .. traversal, and symlink escapes outside allowed roots are rejected.

Fix details

The patched runtimes canonicalize file-reference targets and allowed roots before reading referenced files, reject targets outside the prompt directory by default, and add regression coverage for traversal, absolute paths, explicit allowlists, and symlink escapes. The release commit is 88ac9948d7d37995edbb2f6d36913436626c39e1.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0b1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "prompty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0b2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-beta.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@prompty/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-beta.1"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "prompty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-beta.1"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Prompty.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-17T19:46:05Z",
    "nvd_published_at": "2026-07-16T16:19:12Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nPrompty loaders expanded `${file:...}` references in `.prompty` frontmatter without enforcing that the resolved path stayed within an authorized directory. An attacker-controlled prompt file could use path traversal or an absolute path to cause the host application to read files accessible to the process.\n\n## Affected packages\n- PyPI `prompty` versions `\u003c= 2.0.0b1`; fixed in `2.0.0b2`\n- npm `@prompty/core` versions `\u003c= 2.0.0-beta.1`; fixed in `2.0.0-beta.2`\n- crates.io `prompty` versions `\u003c= 2.0.0-beta.1`; fixed in `2.0.0-beta.2`\n- NuGet `Prompty.Core` versions `\u003c= 2.0.0-beta.1`; fixed in `2.0.0-beta.2`\n\n## Impact\nApplications that load untrusted `.prompty` files, user-provided prompt paths, or prompt bundles from less-trusted locations could disclose local files available to the application process when expanded values are logged, returned, or otherwise exposed.\n\n## Remediation\nUpgrade to the fixed runtime version for your ecosystem. The fix makes file references secure by default: `${file:...}` may only resolve within the directory tree containing the `.prompty` file. Host applications that need shared prompt assets outside that tree must explicitly provide allowed file roots through runtime load options. Absolute paths, `..` traversal, and symlink escapes outside allowed roots are rejected.\n\n## Fix details\nThe patched runtimes canonicalize file-reference targets and allowed roots before reading referenced files, reject targets outside the prompt directory by default, and add regression coverage for traversal, absolute paths, explicit allowlists, and symlink escapes. The release commit is `88ac9948d7d37995edbb2f6d36913436626c39e1`.",
  "id": "GHSA-wxhm-2mq7-7697",
  "modified": "2026-07-17T19:46:05Z",
  "published": "2026-07-17T19:46:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/prompty/security/advisories/GHSA-wxhm-2mq7-7697"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53598"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/prompty/commit/88ac9948d7d37995edbb2f6d36913436626c39e1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/microsoft/prompty"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prompty: Arbitrary file read via file reference expansion"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…