security: fix path traversal in CLI installer file downloads (#1383)

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-29 04:19:30 +00:00

Fixes path traversal vulnerability where unvalidated filenames from
GitHub API could write files outside intended directory.

Attack vector: MITM attack or DNS hijacking could inject filenames
like "../../../../../../tmp/evil.ts" to write arbitrary files.

Fix: Validate filenames before download - block "..", "/", and "\\"
to ensure files are written only within ${dest}/cli/src/

Severity: HIGH/CRITICAL
Affects: All users running installer via curl|bash

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

This commit is contained in:

2026-02-17 00:09:12 -08:00

• committed by

GitHub

parent 30138f6a8a

commit d2b6fc1ae4

No known key found for this signature in database

GPG key ID: B5690EEEBB952194

2 changed files with 11 additions and 1 deletions

									
										2

cli/package.json
									
										View file
										
				@ -1,6 +1,6 @@

				{

				  "name": "@openrouter/spawn",

				  "version": "0.3.1",

				  "version": "0.3.2",

				  "type": "module",

				  "bin": {

				    "spawn": "cli.js"

Rows
Columns

security: fix path traversal in CLI installer file downloads (#1383)

2 cli/package.json Unescape Escape View file

2

cli/package.json

View file