Agentic Context Engine Directory Traversal Vulnerability Allowing Arbitrary File Writes

A directory traversal vulnerability has been identified in the agentic-context-engine project, affecting versions through 0.7.1. The vulnerability allows arbitrary file writes via the checkpoint_dir parameter in the OfflineACE.run method. The issue arises because the save_to_file method in ace/skillbook.py does not properly normalize or validate filesystem paths, enabling traversal sequences to escape the designated checkpoint directory. As a result, attackers can overwrite any files accessible to the application process, potentially leading to application corruption, privilege escalation, or code execution, depending on the deployment context.

Impact

Exploitation of this vulnerability allows unintended file writes outside the specified checkpoint directory, with the potential to overwrite critical application files or configuration settings. In multi-tenant or API-exposed environments, this could lead to unauthorized access or elevated privileges.

Reproduction

To reproduce this vulnerability, set the checkpoint_dir parameter to a path that includes traversal sequences, such as '../'. When the OfflineACE.run method is executed, the application will write files to the traversed location, bypassing the intended directory restriction.

Remediation

To address this vulnerability, it is recommended to normalize file paths by resolving them to their absolute form and then enforce directory boundaries by ensuring that the resolved path remains within the intended directory. Additionally, input sanitization can be implemented to reject traversal sequences and restrict paths to safe subdirectories.