Overview
About vulnerability
SVG ImageDescription
Spring AI’s support for Anthropic’s Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories.
SVG ImageAffected Spring Products and Versions
Spring AI:
- 1.1.0 - 1.1.x
SVG ImageMitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 1.1.x | 1.1.7 | OSS |
SVG ImageReferences
-
+ <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N&version=3.1>
Details
SVG ImageDescription
Spring AI’s support for Anthropic’s Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories.
SVG ImageAffected Spring Products and Versions
Spring AI:
- 1.1.0 - 1.1.x
SVG ImageMitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 1.1.x | 1.1.7 | OSS |
SVG ImageReferences
-
+ <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N&version=3.1>