NanoClaw Host/Container Filesystem Boundary Vulnerability Allowing Arbitrary File Reads and Recursive Deletions

A vulnerability in NanoClaw allows a compromised or prompt-injected container to read files from the host filesystem and, in some cases, recursively delete files outside of designated directories. This issue arises from improper handling of outbound attachments and outbox cleanup, enabling the exploitation of crafted message IDs and file values, or the creation of symlinked outbox files. The vulnerability affects all versions of NanoClaw.

Impact

Exploitation of this vulnerability could lead to unauthorized access to host files and potential recursive deletion of files outside the intended cleanup target.

Reproduction

The vulnerability can be reproduced by initializing a session and creating a symlinked file in the inbox directory that points to a file outside the allowed directory. When a message is sent with an attachment that includes the symlinked file, the container can read the host file. Similarly, crafting a message ID that escapes the outbox directory can trigger a cleanup process that mistakenly deletes files from the host.

Remediation

Users are advised to update to the latest version of NanoClaw, where this vulnerability has been addressed.