GHSA-q9m2-fhv9-3jcf: `potato-annotation` has a Project-Boundary Bypass

May 8, 2026

validate_path_security uses string-prefix containment (startswith) for boundary checks. This allows paths that are outside the intended project directory but share its prefix string (e.g., /tmp/potato_proj_demo_evil/... vs /tmp/potato_proj_demo) to be accepted.

References

github.com/advisories/GHSA-q9m2-fhv9-3jcf
github.com/davidjurgens/potato
github.com/davidjurgens/potato/security/advisories/GHSA-q9m2-fhv9-3jcf

Code Behaviors & Features

Detect and mitigate GHSA-q9m2-fhv9-3jcf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →