Currently browsing: Security

Overview
A command injection vulnerability was identified in the MS-Agent framework that can be triggered through unsanitized prompt-derived input. An attacker can craft untrusted input introduced via a chat prompt or other external content sources, resulting in arbitrary command execution on the target system(s) where the MS-Agent framework is deployed. No patch or vendor statement was obtained during the coordination process.
Description
MS-Agent is a lightweight framework that enables agents to perform autonomous task execution and tool invocation. The MS-Agent framework includes several features, including a Shell tool that enables execution of commands on the target operating system to complete agentic actions.
A vulnerability has been identified that allows unsanitized input to be executed through the Shell tool. This occurs because the software does not sufficiently verify and sanitize content before execution. As a result, an attacker can leverage prompt injection techniques to influence the agent into executing unintended shell commands when interacting with attacker-controlled content.
The Shell tool relies on regular expression–based filtering in the check_safe() method, which is intended to restrict unsafe commands. The implemented default denylist can be bypassed, allowing crafted input to evade validation checks and reach the shell execution layer.
The vulnerability is tracked as:
CVE-2026-2256
Command injection vulnerability in ModelScope’s ms-agent allows an attacker to execute arbitrary operating system commands through crafted prompt-derived input.
This vulnerability may be exploited when the agent is instructed to process or retrieve external content, such as analyzing code, summarizing documents, or performing other tasks that involve interacting with attacker-controlled data. If the retrieved or processed content contains malicious command sequences that bypass the check_safe() validation, the agent may forward those commands to the Shell tool for execution.
The use of a regular expression denylist in the check_safe() method is insufficient to prevent command injection. Denylist-based filtering is inherently fragile and can often be bypassed through encoding, command obfuscation, or alternative shell syntax. In this case, the filtering logic can be circumvented, enabling arbitrary command execution within the execution context of the agent process.
Impact
An attacker who successfully exploits this vulnerability may execute arbitrary operating system commands on the target with the privileges of the MS-Agent process. This may allow modification of system files, lateral movement within the environment, establishment of persistence mechanisms, or exfiltration of sensitive data accessible to the agent.
Solution
No statement was provided by the vendor during coordination efforts. Users should deploy MS-Agent only in environments where ingested content is trusted, validated, or sanitized. Agents with shell execution capabilities should be sandboxed or executed with least-privilege permissions. Additional mitigation strategies include replacing denylist-based filtering with strict allowlists and implementing stronger isolation boundaries for tool execution.
Acknowledgements
Thanks to the reporter, Itamar Yochpaz, for this report. Document written by Christopher Cullen.

Overview
A path traversal vulnerability leading to arbitrary file write exist in PyMuPDF version 1.26.5, within the ‘embedded_get’ function in ‘main.py’. This vulnerability is caused by improper handling of untrusted embedded file metadata, which is used directly as an output path, enabling attackers to write files to arbitrary locations on the local system.
Description
PyMuPDF is a Python interface to the MuPDF document rendering engine, providing capabilities for parsing, rendering, searching, and modifying PDF documents.
The ‘embedded_get’ function in PyMuPDF is responsible for opening the provided PDF along with fetching metadata, such as the file name, if using ‘args.output’ it specifies were the file will be written to on the local system. When ‘args.output’ is not provided, the ‘embedded_get’ function falls back to embedded-file metadata, and opens that value in write-binary mode. Since write-binary mode has no constrictions or safety checks it can write anywhere to the local system.
If the derived output path is not supplied by using ‘args.output’, a crafted PDF can be used to target a location on the local system by using the PDF’s name. When an extracted embedded file using ‘embedded_get’ without specified ‘args.output, the tool can write the extracted content outside the intended directory, potentially to paths on the local system.
Impact
Successful exploitation can result in arbitrary file writing to locations permitted by the executing user. If done under an account with elevated privileges, it may overwrite system files. This can lead to privilege escalation, service disruption, or security bypass. ### Overview
A path traversal vulnerability leading to arbitrary file write exists in PyMuPDF version 1.26.5, within the embedded_get function in __main__.py. This vulnerability is caused by improper handling of untrusted embedded file metadata, which is used directly as an output path, enabling attackers to write files to arbitrary locations on the local system.
Description
PyMuPDF is a Python interface to the MuPDF document rendering engine, providing capabilities for parsing, rendering, searching, and modifying PDF documents.
The embedded_get function in PyMuPDF is responsible for opening the provided PDF along with fetching metadata, such as the file name. If using args.output, it specifies where the file will be written on the local system. When args.output is not provided, the embedded_get function falls back to embedded file metadata and opens that value in write-binary mode. Since write-binary mode has no constrictions nor safety checks, it can write to anywhere on the local system.
If the derived output path is not supplied with args.output, a crafted PDF can be used to target a location on the local system using the name of the PDF. When an embedded file is extracted using embedded_get without specified args.output, the tool can write the extracted content outside the intended directory, potentially to paths on the local system.
Impact
Successful exploitation can result in arbitrary file writing to locations permitted by the executing user. If done under an account with elevated privileges, it may overwrite system files. This can lead to privilege escalation, service disruption, or security bypass.
Solution
PyMuPDF has released version 1.26.7 to address this vulnerability. Affected users are encouraged to update as soon as possible.
Acknowledgements
Thanks to the reporter UKO. This document was written by Michael Bragg.
Solution
PyMuPDF has released version 1.26.7 to address this vulnerability. Affected users are encouraged to update as soon as possible.
Acknowledgements
Thanks to the reporter Jangwoo Choe (UKO). This document was written by Michael Bragg.

Overview
A prototype pollution vulnerability present in CASL Ability versions 2.4.0 through 6.7.4 is triggered through the rulesToFields() function in the extra module. The program’s library contains a method called setByPath() that does not properly sanitize property names, allowing attackers to add or modify properties on an object’s prototype.
Description
The CASL library provides a robust suite for managing attribute-based access control across various components, services, and queries. Access control is defined with a set of rule conditions. The library provides a set of default values for these conditions.
In JavaScript libraries like CASL, prototypes are template objects that serve as blueprints and inform the properties of their child objects. By exploiting this prototype pollution vulnerability, an attacker can inject arbitrary properties into global object prototypes, thereby affecting all child objects that inherit from them. The issue arises from a flaw in the setByPath() function, a component of the rulesToFields() function in the extra module.
The setByPath() function is intended to safely update only permitted fields; however, it fails to properly sanitize path segments before using them as object property keys. Consequently, special property names such as prototype and constructor are accepted as valid keys, allowing an attacker to modify the properties of object prototypes and constructor classes. Furthermore, the _proto_ special property can be used to traverse the prototype chain and ultimately write to Object.prototype, the root prototype of all objects. By polluting Object.prototype, an attacker can add arbitrary properties to all objects and compromise the prototype chain throughout the Node.js process.
Impact
As Object.prototype is the root prototype that all JavaScript objects inherit from, changes to its properties can be significant, allowing an attacker to execute arbitrary code and potentially leading to a complete system compromise. Additionally, an attacker can bypass intended authorization logic, allowing unauthorized access to sensitive resources. Furthermore, changes to Object.prototype can cause unintended behavior in application code, leading to logic manipulation and potentially allowing an attacker to perform actions that would normally be restricted.
Manipulating properties in Object.prototype can also cause crashes or unexpected behavior if polluted properties do not match expected types in the application code, leading to a denial of service. Overall, the Object.prototype pollution vulnerability poses a significant risk to applications and systems. Because the vulnerability exists in the CASL library, which is used by multiple applications and services, a single exploit can have a ripple effect, compromising multiple systems and potentially leading to a widespread security breach.
Solution
Users of the library should upgrade to version 6.7.5 or later, found at https://github.com/stalniy/casl/tree/master/packages/casl-ability.
Acknowledgements
Thanks to Maor Caplan from the Alma Security for coordinating the disclosure of this vulnerability. This document was written by Ayushi Kriplani and Dr. E. Drennan, CISSP.