Intel

AIKIDO-2026-864681

@openai/agents-extensions is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

59

Medium Risk

This Affects:

JS@openai/agents-extensions
0.9.0 - 0.9.1
Fixed in 0.10.0
Are you affected? Scan for Free

TL;DR

The Cloudflare sandbox provider in @openai/agents-extensions validates workspace tar archives before sending them to the remote worker during hydrateWorkspace. The archive validator does not inspect symlink member targets, so a crafted archive can include symlinks whose targets are absolute paths or use .. segments to escape the archive root. When such an archive is hydrated and extracted, those symlinks can point file reads or writes outside the intended workspace directory. The fix plumbs an allowExternalSymlinkTargets: false option through validateWorkspaceTarArchive, parses PAX linkpath, and rejects absolute or escaping symlink targets.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and use the Cloudflare sandbox provider to hydrate workspaces from untrusted tar archives.

Background info

@openai/agents-extensions is vulnerable to Path Traversal in versions 0.9.0 - 0.9.1.

How to fix this

Upgrade the @openai/agents-extensions library to the patch version.