nanobot: Path traversal via unsanitized WhatsApp document fileName enables arbitrary file write
Description
nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, the WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The WhatsApp bridge downloads media attachments and writes them to disk using a filename derived from the sender's message via documentMessage.fileName, which is concatenated with a prefix and its raw value is passed directly to path.join(mediaDir, outFilename). Node.js path.join resolves .. components, allowing an attacker to escape the intended media/ directory by sending a document with a crafted fileName such as ../../../.ssh/authorized_keys. Because the attacker also controls the file content (the downloaded buffer), this is a write-anywhere primitive — both path and content are attacker-controlled. A fix for this issue is planned for version 0.1.5.post4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"Missing sanitization of the `fileName` field from WhatsApp document messages allows path traversal via `..` sequences."
Attack vector
An attacker sends a WhatsApp document to the bot number with a crafted `fileName` containing `../` sequences (e.g., `../../../../.ssh/authorized_keys`). The nanobot WhatsApp bridge auto-downloads the attachment and writes the attacker-controlled content to the resolved path, escaping the intended `media/` directory. Because Node.js `path.join` resolves `..` components, the attacker achieves a write-anywhere primitive — both the destination path and file content are attacker-controlled [ref_id=1]. No user interaction is required.
Affected code
The vulnerability is in `bridge/src/whatsapp.ts`, lines 198–209, where the `downloadMedia()` function constructs a filesystem path using the raw `fileName` field from an incoming WhatsApp document message. The attacker-controlled `fileName` is concatenated with a prefix and passed directly to `path.join(mediaDir, outFilename)` without sanitization [ref_id=1].
What the fix does
The recommended fix replaces the vulnerable concatenation `outFilename = prefix + fileName` with `const safeFileName = path.basename(fileName).replace(/[^a-zA-Z0-9._-]/g, '_')` to strip directory traversal characters, and adds a post-join boundary assertion to verify the resolved path stays within `mediaDir` [ref_id=1]. This prevents `..` sequences from escaping the intended directory.
Preconditions
- authThe attacker must be a whitelisted WhatsApp sender, or the bot must be configured with `allow_from: "*"`
- configThe nanobot WhatsApp bridge must be enabled and connected
- inputThe attacker sends a WhatsApp document message with a crafted fileName field
Reproduction
The advisory includes a full proof-of-concept script (`poc.mjs`) that replicates the vulnerable `downloadMedia()` function and demonstrates writing an attacker SSH public key to `~/.ssh/authorized_keys` using `fileName = '../../../../.ssh/authorized_keys'` [ref_id=1].
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/HKUDS/nanobot/security/advisories/GHSA-3f63-vcp3-hvqrmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.