Intel

AIKIDO-2026-477013

nx is vulnerable to Path Traversal

Path TraversalGHSA-vp3h-ghgh-jr7g Published Today

87

High Risk

This Affects:

JSnx
20.8.0 - 22.7.6
Fixed in 22.7.7
23.0.0 - 23.0.1
Fixed in 23.0.2
Are you affected? Scan for Free

TL;DR

The Nx self-hosted remote cache extracts tarball artifacts without confining the extraction path to the intended output directory. Archive entries with path traversal sequences or symlink/hardlink targets that point outside the workspace boundary are written to attacker-chosen locations on the filesystem. A compromised or malicious cache artifact can overwrite arbitrary files accessible to the build process, including executables and configuration files, which can lead to remote code execution. The fix confines tar extraction to a pre-created hashed directory, rejects unsafe archive entries, and restricts restore operations to declared, normalized outputs while blocking write-through via symlinks and hardlinks.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses the Nx self-hosted remote cache with artifacts from an untrusted or potentially compromised cache source.

Background info

nx is vulnerable to Path Traversal in versions 20.8.0 - 22.7.6 and 23.0.0 - 23.0.1.

How to fix this

Upgrade the nx library to the patch version.