GHSA-xhrw-5qxx-jpwr HIGH pip/apm-cli

CVE: CVE-2026-44641

Summary

Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install.

In the verified primary proof of concept, a malicious plugin sets plugin.json.commands to an external markdown file. A single apm install copies that outside file into .apm/prompts/ and then auto-integrates it into .github/prompts/secret.prompt.md in the victim project. This is a local supply-chain trust-boundary violation with direct confidentiality and integrity impact.

Reviewed version and commit:

• apm-cli version 0.8.11
• main commit 70b34faa16a5a783424698163deeb028854fd23a

Details

Root cause:

• src/apm_cli/deps/plugin_parser.py:336-348

- _resolve_sources() joins manifest-controlled agents, skills, commands, and directory-form hooks paths with plugin_path

- it checks only exists() and is_symlink()

- it does not resolve the candidate and verify containment inside the plugin root

• src/apm_cli/deps/plugin_parser.py:356-395

- copies attacker-selected agent and skill files/directories into .apm/

• src/apm_cli/deps/plugin_parser.py:397-452

- copies attacker-selected command and hook files/directories into .apm/

• src/apm_cli/deps/plugin_parser.py:436-442

- string-form hook config paths are also copied without a root-containment check

There is already a safer precedent in the same module:

• src/apm_cli/deps/plugin_parser.py:195-210

- _read_mcp_file() resolves the candidate path

- rejects paths escaping the plugin root

- rejects symlinks

Reachability:

• Local install path:

- `src/apm_cli/commands/install.py

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44641 | 📅 2026-05-07