Intel

AIKIDO-2026-956109

@openai/agents-core is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 30, 2026

40

Medium Risk

This Affects:

JS@openai/agents-core
0.9.0 - 0.10.1
Fixed in 0.11.0
Are you affected? Scan for Free

TL;DR

The sandbox module resolves LocalFile.src and LocalDir.src host paths and reads SKILL.md files during lazy local skill discovery before materializing them into a sandbox workspace. Before the fix these local sources are not constrained to the SDK process base directory, so an absolute or relative source path pointing outside that directory is materialized without restriction. An application that builds a manifest from attacker-influenced source or skill paths can therefore read host files and metadata outside the intended boundary, including by following symlinked ancestors. The fix constrains local sources to the base directory unless explicitly allowed via manifest.extraPathGrants and rejects symlink-escaping skill discovery.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application materializes local sandbox sources (LocalFile/LocalDir) or local skill sources from paths influenced by untrusted input.

Background info

@openai/agents-core is vulnerable to Path Traversal in versions 0.9.0 - 0.10.1.

How to fix this

Upgrade the @openai/agents-core and/or the @openai/agents library to the patch version.