CVE-2026-45403
Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AnythingLLM ≤1.12.0 filesystem copy tool follows nested symlinks, copying files from outside the allowed directory into an allowed destination as regular files.
Vulnerability
The AnythingLLM agent filesystem copy tool in versions prior to 1.13.0 validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This is fixed in commit 21ce03087145a4261c1de03b056fba639f699c09 which adds fs.lstat() checks and throws an error for symlinks during recursive copy [1].
Exploitation
An attacker needs write access to create a symlink inside an allowed source directory. No network access or authentication is required beyond local file write capability. The attacker creates a symlink pointing to a target file outside the allowed root (e.g., source/linked-secret.txt -> /path/outside/secret.txt). The victim then uses the copy tool with source=allowed_dir and destination=any_allowed_dir. The recursive copy follows the symlink and copies the outside file contents as a regular file into the destination, bypassing the top-level path validation [1].
Impact
The attacker gains disclosure of any file outside the allowed filesystem root that the victim process can read. This is an information disclosure vulnerability with low severity (CVSS 2.0) because it requires local write access and victim action, but can expose sensitive credentials or configuration files stored outside the intended sandbox [1].
Mitigation
Fixed in version 1.13.0 via commit 21ce03087145a4261c1de03b056fba639f699c09. The fix replaces fs.stat() with fs.lstat() in the recursive copy helper and throws an error if any entry is a symbolic link, preventing traversal outside the validated paths. Users should update to ≥1.13.0. No workaround exists for unpatched versions [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.13.0
Patches
121ce03087145apply refactor for recursive copy-file with symlinks: GHSA-vjrp-43mm-j7vw
1 file changed · +8 −2
server/utils/agents/aibitat/plugins/filesystem/copy-file.js+8 −2 modified@@ -3,9 +3,15 @@ const path = require("path"); const filesystem = require("./lib.js"); async function copyRecursive(source, destination) { - const stats = await fs.stat(source); + const lstat = await fs.lstat(source); - if (stats.isDirectory()) { + if (lstat.isSymbolicLink()) { + throw new Error( + `Cannot copy symbolic link: ${source}. Symlinks are not allowed during copy operations.` + ); + } + + if (lstat.isDirectory()) { await fs.mkdir(destination, { recursive: true }); const entries = await fs.readdir(source); for (const entry of entries) {
Vulnerability mechanics
Root cause
"The recursive copy helper uses fs.stat() and fs.copyFile(), which follow symlinks, without validating each child entry or rejecting symlinks, allowing a nested symlink to point outside the allowed directory."
Attack vector
An attacker who can place or preserve a symlink inside an allowed filesystem-agent directory can exploit the copy tool [ref_id=1]. The tool validates only the top-level source and destination paths, then recursively descends using `fs.stat()` and `fs.copyFile()`, both of which follow symlinks [ref_id=1]. A symlink such as `source/linked-secret.txt -> /path/outside/secret.txt` causes the outside file's contents to be copied into the allowed destination as a regular file, bypassing the intended allowed-directory boundary [ref_id=1]. The precondition is that the attacker must have the ability to create or preserve a symlink within an already-allowed agent filesystem directory [ref_id=1].
Affected code
The vulnerability resides in `server/utils/agents/aibitat/plugins/filesystem/copy-file.js` and `server/utils/agents/aibitat/plugins/filesystem/lib.js` [ref_id=1]. The `copyRecursive` function uses `fs.stat()` (which follows symlinks) to inspect entries, and `fs.copyFile()` to copy them, without checking whether any child entry is a symlink pointing outside the allowed directory [ref_id=1]. The top-level handler validates only the source and destination paths, but the recursive descent into child entries performs no per-entry symlink or path validation [ref_id=1].
What the fix does
The patch replaces `fs.stat(source)` with `fs.lstat(source)` in the `copyRecursive` function [patch_id=3014232]. Before checking whether the entry is a directory, the code now first checks `lstat.isSymbolicLink()` and throws an error if a symlink is encountered, preventing the copy from following it [patch_id=3014232]. This closes the vulnerability by rejecting symlinks at every level of the recursive copy, rather than only validating the top-level paths [ref_id=1].
Preconditions
- inputAttacker must be able to place or preserve a symlink inside an allowed filesystem-agent directory
- authAttacker must have access to trigger the agent filesystem copy tool
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.