GHSA-48x2-6pr9-2jjf: Network-AI: EnvironmentManager.restore() backup ID path traversal copies arbitrary directories into environment data

June 19, 2026

EnvironmentManager.restore(env, backupId) computes the backup path with join(envDir, '.backups', backupId) and only checks that this path exists. It does not resolve the result or verify that it remains under data/<env>/.backups.

A caller can pass a traversal backup ID such as ../../../outside/source-dir to restore files from an arbitrary directory into the target environment data directory. Confirmed in Network-AI 5.12.1.

References

github.com/Jovancoding/Network-AI/commit/a59c13a1f0ce0e8a0779a90343eef92fac5ab4c3
github.com/Jovancoding/Network-AI/releases/tag/v5.12.2
github.com/Jovancoding/Network-AI/security/advisories/GHSA-48x2-6pr9-2jjf
github.com/advisories/GHSA-48x2-6pr9-2jjf

Code Behaviors & Features

Detect and mitigate GHSA-48x2-6pr9-2jjf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →