Qodo Qodo Gen IDE Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in all versions of the Qodo Qodo Gen IDE. This vulnerability allows a threat actor to read arbitrary local files, both within and outside of current projects, on an end user's system. The issue can be exploited directly or through indirect prompt injection.

Impact

Exploitation of this vulnerability allows for arbitrary file read access on the user's system, bypassing normal directory restrictions.

Reproduction

To reproduce this vulnerability, create a GitHub repository containing a symbolic link to a file or directory outside of the project's allowed scope. Once the repository is cloned, the symbolic link will be created in the local project. Then, upload a README file with instructions that prompt Qodo Gen to access the linked files. When Qodo Gen processes the README, it will follow the instructions and exfiltrate the contents of the linked files to a remote server.