Intel

AIKIDO-2026-161193

@microsoft/kiota is vulnerable to Path Traversal

Path TraversalCVE-2026-59864 Published 3 days ago

93

Critical Risk

This Affects:

JS@microsoft/kiota
0.0.1 - 1.32.4
Fixed in 1.32.5
Are you affected? Scan for Free

TL;DR

Kiota writes the static_template.file path from the x-ai-adaptive-card and x-ai-capabilities OpenAPI extensions verbatim into generated Microsoft 365 Copilot and Teams plugin manifests without validation. An attacker-controlled OpenAPI description can embed .. traversal segments or an absolute path in this field. When the generated plugin is later deployed, the AI host resolves the reference to a file outside the plugin package, causing path traversal and out-of-package file inclusion. The fix validates static_template.file as a relative path confined to the plugin output and rejects absolute, rooted, and traversal values.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you generate Microsoft 365 Copilot or Teams API plugins from an untrusted or attacker-influenced OpenAPI description.

Background info

@microsoft/kiota is vulnerable to Path Traversal in versions 0.0.1 - 1.32.4.

How to fix this

Upgrade the @microsoft/kiota library to the patch version.