Evolver Path Traversal Vulnerability in Fetch Command Allows Arbitrary File Write

A path traversal vulnerability has been identified in Evolver versions prior to 1.69.3. The issue arises in the skill download (fetch) command, where the --out= flag accepts user-provided paths without proper validation. This flaw enables directory traversal attacks, allowing attackers to write files to arbitrary locations on the filesystem. Exploitation of this vulnerability could overwrite critical system files or create files in sensitive areas, such as the user's home directory or SSH configuration.

Impact

Exploitation of this vulnerability allows for arbitrary file writing, which can lead to overwriting important system files, modifying application code or configuration, and in some cases, privilege escalation if the process has elevated rights.

Reproduction

To reproduce this vulnerability, use the fetch command with the --out= flag, specifying a path that traverses directories, such as ../../../etc/cron.d or ../../../home/user/.ssh. The lack of validation on the user-provided path will allow files to be written outside the intended directory.

Remediation

Users should update to Evolver version 1.69.3 or later, where this vulnerability has been patched.