Kestra task inputFiles accepts traversal filenames for worker file writes
Description
Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task inputFiles writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an inputFiles file name, a caller can use ../ path segments to create or overwrite files outside that task working directory on the worker filesystem. Versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43 patch the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"FilesService.inputFiles() renders and writes file paths without a containment check, allowing ../ segments in attacker-controlled map keys to escape the task working directory."
Attack vector
An attacker sends a crafted HTTP POST request to the Kestra webhook endpoint, providing a JSON payload where map keys contain `../` path segments [ref_id=1]. The webhook service forwards these attacker-controlled keys into the `inputFiles` property of a downstream task without sanitizing the file name. Because `FilesService.inputFiles()` writes the rendered file name directly under the task working directory without a containment check, the `../` segments allow the file to be created or overwritten outside the intended directory on the worker filesystem [ref_id=1]. The attack requires a flow that maps webhook body data into a JSON input and then uses that input as `inputFiles`. No authentication other than access to the webhook endpoint is needed.
What the fix does
The advisory states that Kestra versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43 patch the issue [ref_id=1]. While the diff is not reproduced here, the fix must add a containment check in `FilesService.inputFiles()` after rendering the file name, ensuring the resolved path stays within the task working directory. The existing guard in `LocalWorkingDir.resolve()` already rejects escaping paths, but `FilesService.inputFiles()` bypasses that guard by constructing a `File` directly. The patch closes this bypass by applying the same validation that `PluginUtilsService.createInputFilesInternal()` already uses (the `validFilename` check) or by enforcing that the rendered file path does not contain `../` sequences.
Preconditions
- configA Kestra flow must expose a JSON input that is forwarded to the inputFiles property of a task
- networkThe attacker must be able to reach the webhook endpoint (default networking)
- inputThe attacker supplies a JSON object whose keys contain ../ path segments
Reproduction
The bundle includes a full PoC. Create a flow with a JSON input `files`, a webhook trigger that maps `trigger.body.files` to input `files`, and a shell task that uses `inputFiles: "{{ inputs.files }}"`. Send POST to `/api/v1/main/executions/webhook/company.team/inputfiles_escape_poc/inputfiles-escape` with body `{"files": {"../escape.txt": "created outside the task working directory"}}`. The task writes `../escape.txt` relative to the working directory and the command `test -f ../escape.txt && echo escaped` confirms the file was created outside the sandbox [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/kestra-io/kestra/security/advisories/GHSA-q3fw-mvgv-pjr2mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.