AIKIDO-2025-10454
gltf-pipeline is vulnerable to Path Traversal
77
High Risk
This Affects:
gltf-pipelineTL;DR
Affected versions of this package are vulnerable to Local File Inclusion (LFI) via absolute path manipulation in gltf-pipeline, a library used for optimizing and converting glTF/glB 3D models. While the library restricts remote HTTP(s) URI fetching, it fails to validate absolute paths, allowing attackers to embed arbitrary local files into the generated glB output when processing maliciously crafted models. An attacker could exploit this by providing a buffer resource as a file URL, leading to unauthorized file disclosure if the library is used in server-side workflows. This could expose sensitive system files or application data depending on the server's permissions.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and if you are using it in a production environment.
Background info
gltf-pipeline is vulnerable to Path Traversal in versions 3.0.4 - 4.1.0.
How to fix this
Upgrade the gltf-pipeline library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant