Intel

AIKIDO-2026-159054

@openai/agents-extensions is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 30, 2026

40

Medium Risk

This Affects:

JS@openai/agents-extensions
0.9.0 - 0.10.1
Fixed in 0.11.0
Are you affected? Scan for Free

TL;DR

The extensions sandbox providers materialize remote local sources through the shared localSources logic, which resolves host LocalFile/LocalDir paths before copying them into a provider workspace. Before the fix these local sources are not constrained to the configured source base directory, so a source path outside that directory is materialized without restriction. An application that passes attacker-influenced local source paths into a provider manifest can read host files outside the intended boundary, including through symlinked ancestors. The fix requires paths outside the base directory to be covered by manifest.extraPathGrants and preserves symlink rejection.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application materializes local sandbox sources (LocalFile/LocalDir) into a remote provider workspace from paths influenced by untrusted input.

Background info

@openai/agents-extensions is vulnerable to Path Traversal in versions 0.9.0 - 0.10.1.

How to fix this

Upgrade the @openai/agents-extensions library to the patch version.