GHSA-WXHM-2MQ7-7697
Vulnerability from github – Published: 2026-07-17 19:46 – Updated: 2026-07-17 19:46Summary
Prompty loaders expanded ${file:...} references in .prompty frontmatter without enforcing that the resolved path stayed within an authorized directory. An attacker-controlled prompt file could use path traversal or an absolute path to cause the host application to read files accessible to the process.
Affected packages
- PyPI
promptyversions<= 2.0.0b1; fixed in2.0.0b2 - npm
@prompty/coreversions<= 2.0.0-beta.1; fixed in2.0.0-beta.2 - crates.io
promptyversions<= 2.0.0-beta.1; fixed in2.0.0-beta.2 - NuGet
Prompty.Coreversions<= 2.0.0-beta.1; fixed in2.0.0-beta.2
Impact
Applications that load untrusted .prompty files, user-provided prompt paths, or prompt bundles from less-trusted locations could disclose local files available to the application process when expanded values are logged, returned, or otherwise exposed.
Remediation
Upgrade to the fixed runtime version for your ecosystem. The fix makes file references secure by default: ${file:...} may only resolve within the directory tree containing the .prompty file. Host applications that need shared prompt assets outside that tree must explicitly provide allowed file roots through runtime load options. Absolute paths, .. traversal, and symlink escapes outside allowed roots are rejected.
Fix details
The patched runtimes canonicalize file-reference targets and allowed roots before reading referenced files, reject targets outside the prompt directory by default, and add regression coverage for traversal, absolute paths, explicit allowlists, and symlink escapes. The release commit is 88ac9948d7d37995edbb2f6d36913436626c39e1.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.0b1"
},
"package": {
"ecosystem": "PyPI",
"name": "prompty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0b2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.0-beta.1"
},
"package": {
"ecosystem": "npm",
"name": "@prompty/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-beta.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.0-beta.1"
},
"package": {
"ecosystem": "crates.io",
"name": "prompty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-beta.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.0-beta.1"
},
"package": {
"ecosystem": "NuGet",
"name": "Prompty.Core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-beta.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53598"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-17T19:46:05Z",
"nvd_published_at": "2026-07-16T16:19:12Z",
"severity": "HIGH"
},
"details": "## Summary\nPrompty loaders expanded `${file:...}` references in `.prompty` frontmatter without enforcing that the resolved path stayed within an authorized directory. An attacker-controlled prompt file could use path traversal or an absolute path to cause the host application to read files accessible to the process.\n\n## Affected packages\n- PyPI `prompty` versions `\u003c= 2.0.0b1`; fixed in `2.0.0b2`\n- npm `@prompty/core` versions `\u003c= 2.0.0-beta.1`; fixed in `2.0.0-beta.2`\n- crates.io `prompty` versions `\u003c= 2.0.0-beta.1`; fixed in `2.0.0-beta.2`\n- NuGet `Prompty.Core` versions `\u003c= 2.0.0-beta.1`; fixed in `2.0.0-beta.2`\n\n## Impact\nApplications that load untrusted `.prompty` files, user-provided prompt paths, or prompt bundles from less-trusted locations could disclose local files available to the application process when expanded values are logged, returned, or otherwise exposed.\n\n## Remediation\nUpgrade to the fixed runtime version for your ecosystem. The fix makes file references secure by default: `${file:...}` may only resolve within the directory tree containing the `.prompty` file. Host applications that need shared prompt assets outside that tree must explicitly provide allowed file roots through runtime load options. Absolute paths, `..` traversal, and symlink escapes outside allowed roots are rejected.\n\n## Fix details\nThe patched runtimes canonicalize file-reference targets and allowed roots before reading referenced files, reject targets outside the prompt directory by default, and add regression coverage for traversal, absolute paths, explicit allowlists, and symlink escapes. The release commit is `88ac9948d7d37995edbb2f6d36913436626c39e1`.",
"id": "GHSA-wxhm-2mq7-7697",
"modified": "2026-07-17T19:46:05Z",
"published": "2026-07-17T19:46:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/microsoft/prompty/security/advisories/GHSA-wxhm-2mq7-7697"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53598"
},
{
"type": "WEB",
"url": "https://github.com/microsoft/prompty/commit/88ac9948d7d37995edbb2f6d36913436626c39e1"
},
{
"type": "PACKAGE",
"url": "https://github.com/microsoft/prompty"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prompty: Arbitrary file read via file reference expansion"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.