ZeptoClaw Dangling Symlink Component Bypass, TOCTOU Vulnerability, and Hardlink Alias Bypass

A vulnerability in ZeptoClaw, a personal AI assistant, prior to version 0.7.6, allows for a dangling symlink component bypass, a time-of-check-time-of-use (TOCTOU) vulnerability, and a hardlink alias bypass. These issues can lead to unauthorized cross-boundary path operations, potentially escaping defined workspace limits. The vulnerability arises from inadequate path validation, allowing symlinks to bypass checks and hardlinks to access external inodes under certain conditions.

Impact

Exploitation of these vulnerabilities can cause read and write operations to escape workspace boundaries, bypassing intended file access policies. This could lead to unauthorized modifications or readings of files outside the designated workspace.

Reproduction

1. For the dangling symlink component bypass, create a symlink within the workspace that points to a non-existent target. Validate a path that traverses this symlink, then create the target directory outside the workspace. Perform a file operation to observe the boundary escape. 2. To reproduce the TOCTOU vulnerability, validate a path within the workspace, then quickly replace an intermediate component with a link to an external location before performing the file operation. This will demonstrate how a concurrent change can exploit the timing of the validation process. 3. For the hardlink alias bypass, place a hardlink inside the workspace that points to an external inode. Validate the hardlink path, then read or write through it. This will show how the hardlink can access external content while appearing to stay within workspace boundaries.

Remediation

Users should update to ZeptoClaw version 0.7.6, where these vulnerabilities have been addressed.