fix(security): patch 5 CVEs — symlink escape, path traversal, poisoned manifest, sandbox prefix bypass, unauthenticated ApprovalInbox

jovanSAPFIONEER · jovanSAPFIONEER · commit a59c13a1f0ce · 2026-06-18T23:08:13.000+02:00
diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json
@@ -6,14 +6,14 @@
   },
   "metadata": {
     "description": "Network-AI — a multi-agent coordination layer for Claude Code: shared blackboard state, permission gating, federated budgets, and audit queries over MCP.",
-    "version": "5.12.1"
+    "version": "5.12.2"
   },
   "plugins": [
     {
       "name": "network-ai",
       "source": "./",
       "description": "Gives Claude Code a multi-agent coordination layer over MCP — an atomic shared blackboard (locked propose/validate/commit), permission gating with HMAC/Ed25519-signed tokens, federated token-budget tracking, and append-only audit-log queries. Backed by an orchestrator with 29 framework adapters (LangChain, AutoGen, CrewAI, and more).",
-      "version": "5.12.1",
+      "version": "5.12.2",
       "author": {
         "name": "OpenClaw Community",
         "url": "https://github.com/Jovancoding/Network-AI"
diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json
@@ -1,7 +1,7 @@
 {
   "name": "network-ai",
   "description": "Gives Claude Code a multi-agent coordination layer over MCP — an atomic shared blackboard (locked propose/validate/commit), permission gating with HMAC/Ed25519-signed tokens, federated token-budget tracking, and append-only audit-log queries. Backed by an orchestrator with 29 framework adapters (LangChain, AutoGen, CrewAI, and more).",
-  "version": "5.12.1",
+  "version": "5.12.2",
   "author": {
     "name": "OpenClaw Community",
     "url": "https://github.com/Jovancoding/Network-AI"
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -2,7 +2,7 @@
 
 ## Project Overview
 
-Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination (v5.12.1). 3,269 tests across 33 suites.
+Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination (v5.12.2). 3,269 tests across 33 suites.
 
 ## Architecture
 
diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
@@ -1,6 +1,6 @@
 # Architecture
 
-Network-AI v5.12.1 — TypeScript/Node.js multi-agent orchestrator with 29 adapters, 3,269 tests, 72+ modules.
+Network-AI v5.12.2 — TypeScript/Node.js multi-agent orchestrator with 29 adapters, 3,269 tests, 72+ modules.
 
 ## The Multi-Agent Race Condition Problem
 
diff --git a/AUDIT_LOG_SCHEMA.md b/AUDIT_LOG_SCHEMA.md
@@ -1,4 +1,4 @@
-# Audit Log Schema — Network-AI v5.12.1
+# Audit Log Schema — Network-AI v5.12.2
 
 Network-AI writes a JSONL audit trail during permission management and swarm execution. This document describes every field and event type.
 
diff --git a/BENCHMARKS.md b/BENCHMARKS.md
@@ -1,6 +1,6 @@
 # Benchmarks & Performance
 
-> Performance data for Network-AI v5.12.1 deployments. Your swarm is only as fast as the backend it calls — this page helps you choose the right setup.
+> Performance data for Network-AI v5.12.2 deployments. Your swarm is only as fast as the backend it calls — this page helps you choose the right setup.
 
 ## BlackboardValidator Throughput
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,18 @@ All notable changes to Network-AI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.12.2] - 2026-06-18
+
+### Security
+- **GHSA-6x2m-p4xp-wg22** (Moderate) — `EnvironmentManager.backup()` now uses `lstatSync` instead of `statSync` in `_collectBackupFiles()`. Symlinks are detected with `isSymbolicLink()` and skipped, preventing backup from following symlinks outside the environment root.
+- **GHSA-48x2-6pr9-2jjf** (Moderate) — `EnvironmentManager.restore()` validates `backupId` against `/^[\w\-]+$/` and checks `dirname(backupPath) === resolve(backupsDir)` before any filesystem access, blocking path-traversal backup IDs such as `../../etc`.
+- **GHSA-2fmp-9rvw-hc96** (High) — `EnvironmentManager.pruneBackups()` no longer uses `entry.path` from the manifest for `rmSync`. The deletion path is recomputed from `entry.backupId` after format validation, and a `dirname` check ensures it is exactly one level under the backups directory. A poisoned `path: "/"` in a manifest is now harmless.
+- **GHSA-jvcm-f35g-w78p** (Moderate) — `SandboxPolicy.resolvePath()` and `isPathAllowed()` now use sep-anchored prefix checks (`basePath + sep`) instead of bare `startsWith(basePath)`. This prevents `/foo/barextra` from being accepted as a subpath of basePath `/foo/bar`.
+- **GHSA-mxjx-28vx-xjjj** (Moderate) — `ApprovalInbox` HTTP server now supports a `secret` option. When set, `POST /:id/approve` and `POST /:id/deny` require `Authorization: Bearer <secret>`. Validation uses `timingSafeEqual` (constant-time) to prevent timing attacks.
+
+### Changed
+- Version bump 5.12.1 → 5.12.2 across `package.json`, `skill.json`, `openapi.yaml`, README badge, Claude Code plugin manifests, and documentation headers.
+
 ## [5.12.1] - 2026-06-17
 
 ### Added
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -4,7 +4,7 @@ This file is read automatically by Claude Code when working in this repository.
 
 ## Project Overview
 
-Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 5.12.1.
+Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 5.12.2.
 
 ## Build & Test Commands
 
diff --git a/CODEX.md b/CODEX.md
@@ -4,7 +4,7 @@ This file is read automatically by OpenAI Codex CLI when working in this reposit
 
 ## Project Overview
 
-Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 5.12.1.
+Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 5.12.2.
 
 ## Build & Test Commands
 
diff --git a/INTEGRATION_GUIDE.md b/INTEGRATION_GUIDE.md
@@ -564,4 +564,4 @@ Run these before declaring the integration production-ready:
 
 ---
 
-*Network-AI v5.12.1 · MIT License · https://github.com/Jovancoding/Network-AI*
+*Network-AI v5.12.2 · MIT License · https://github.com/Jovancoding/Network-AI*
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 [![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
 [![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
 [![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
-[![Release](https://img.shields.io/badge/release-v5.12.1-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
+[![Release](https://img.shields.io/badge/release-v5.12.2-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
 [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
 [![Tests](https://img.shields.io/badge/tests-3269%20passing-brightgreen.svg)](#testing)
 [![Adapters](https://img.shields.io/badge/frameworks-29%20supported-blueviolet.svg)](#adapter-system)
diff --git a/SKILL.md b/SKILL.md
@@ -755,7 +755,7 @@ The following findings are drawn from the **MAESTRO Agent Security Threat** fram
 
 | Control | How Network-AI addresses it |
 |---|---|
-| **Exact version pinning** | npm `package.json` uses exact `"version": "5.12.1"` — no semver range specifiers; `clawhub install network-ai` pins to a specific published version |
+| **Exact version pinning** | npm `package.json` uses exact `"version": "5.12.2"` — no semver range specifiers; `clawhub install network-ai` pins to a specific published version |
 | **Zero transitive dependency drift** | All bundled Python scripts use Python stdlib only — `pip install` is never required; there are no third-party packages to drift, be compromised upstream, or introduce CVEs |
 | **Signed, tagged releases** | Every release is committed with a signed Git tag (`v5.7.x`); commit hash is verifiable against CHANGELOG.md; GitHub releases link tag → diff → changelog entry |
 | **Supply chain monitoring** | npm package continuously scored by Socket.dev (score A); any new dependency or permission change triggers an alert |
diff --git a/lib/agent-runtime.ts b/lib/agent-runtime.ts
@@ -18,7 +18,7 @@
 import { spawn } from 'child_process';
 import { createHash } from 'crypto';
 import { readFile, writeFile, readdir, stat, mkdir } from 'fs/promises';
-import { join, normalize, isAbsolute, resolve, dirname } from 'path';
+import { join, normalize, isAbsolute, resolve, dirname, sep } from 'path';
 import { EventEmitter } from 'events';
 import type { ExecutionReceipt } from '../security';
 import { SecureTokenManager } from '../security';
@@ -395,16 +395,16 @@ export class SandboxPolicy {
     const normalized = this.resolvePath(filePath);
     if (!normalized) return false;
 
-    // Check blocked paths
+    // Check blocked paths (sep-anchored prefix — GHSA-jvcm-f35g-w78p)
     for (const blocked of this.config.blockedPaths) {
       const blockedAbs = resolve(this.config.basePath, blocked);
-      if (normalized.startsWith(blockedAbs)) return false;
+      if (normalized === blockedAbs || normalized.startsWith(blockedAbs + sep)) return false;
     }
 
-    // Check allowed paths
+    // Check allowed paths (sep-anchored prefix — GHSA-jvcm-f35g-w78p)
     for (const allowed of this.config.allowedPaths) {
       const allowedAbs = resolve(this.config.basePath, allowed);
-      if (normalized.startsWith(allowedAbs)) return true;
+      if (normalized === allowedAbs || normalized.startsWith(allowedAbs + sep)) return true;
     }
 
     return false;
@@ -418,8 +418,9 @@ export class SandboxPolicy {
       : join(this.config.basePath, normalized);
     const resolved = resolve(absolute);
 
-    // Traversal check
-    if (!resolved.startsWith(this.config.basePath)) return null;
+    // Traversal check — sep-anchored so '/foo/bar2' cannot match basePath '/foo/bar'
+    // (GHSA-jvcm-f35g-w78p).
+    if (resolved !== this.config.basePath && !resolved.startsWith(this.config.basePath + sep)) return null;
     return resolved;
   }
 
diff --git a/lib/approval-inbox.ts b/lib/approval-inbox.ts
@@ -18,7 +18,7 @@
 
 import { EventEmitter } from 'events';
 import { createServer, IncomingMessage, ServerResponse, Server } from 'http';
-import { randomBytes } from 'crypto';
+import { randomBytes, timingSafeEqual } from 'crypto';
 import type { ApprovalRequest, ApprovalDecision, ApprovalCallback } from './agent-runtime';
 
 // ============================================================================
@@ -48,6 +48,13 @@ export interface ApprovalEntry {
 
 /** Options for the ApprovalInbox */
 export interface ApprovalInboxOptions {
+  /**
+   * Bearer token required for POST /approve and POST /deny endpoints.
+   * Strongly recommended in production — without a secret, any process that
+   * can reach the HTTP server can approve agent actions (GHSA-mxjx-28vx-xjjj).
+   * Clients must send: `Authorization: Bearer <secret>`.
+   */
+  secret?: string;
   /** Default timeout for approval requests in ms (default: 300000 = 5 min) */
   defaultTimeoutMs?: number;
   /** Maximum number of pending approvals (default: 100) */
@@ -106,6 +113,7 @@ export class ApprovalInbox extends EventEmitter {
   private readonly maxPending: number;
   private readonly maxHistory: number;
   private readonly pathPrefix: string;
+  private readonly secret: string | null;
 
   // Counters for stats (history may be truncated)
   private approvedCount = 0;
@@ -118,6 +126,7 @@ export class ApprovalInbox extends EventEmitter {
     this.maxPending = options.maxPending ?? 100;
     this.maxHistory = options.maxHistory ?? 1000;
     this.pathPrefix = (options.pathPrefix ?? '/approvals').replace(/\/$/, '');
+    this.secret = options.secret ?? null;
   }
 
   // --------------------------------------------------------------------------
@@ -389,6 +398,7 @@ export class ApprovalInbox extends EventEmitter {
     // POST /:id/approve
     const approveMatch = subPath.match(/^\/([a-f0-9]+)\/approve$/);
     if (approveMatch && req.method === 'POST') {
+      if (!this.checkAuth(req, res)) return;
       this.readBody(req).then((body) => {
         const approvedBy = typeof body.approvedBy === 'string' ? body.approvedBy : 'anonymous';
         const reason = typeof body.reason === 'string' ? body.reason : undefined;
@@ -407,6 +417,7 @@ export class ApprovalInbox extends EventEmitter {
     // POST /:id/deny
     const denyMatch = subPath.match(/^\/([a-f0-9]+)\/deny$/);
     if (denyMatch && req.method === 'POST') {
+      if (!this.checkAuth(req, res)) return;
       this.readBody(req).then((body) => {
         const deniedBy = typeof body.deniedBy === 'string' ? body.deniedBy : undefined;
         const reason = typeof body.reason === 'string' ? body.reason : undefined;
@@ -437,6 +448,28 @@ export class ApprovalInbox extends EventEmitter {
     this.sendJson(res, 404, { error: 'Not found' });
   }
 
+  /**
+   * Validates the Authorization: Bearer <secret> header on mutating requests.
+   * Returns true if the request is authorized (or no secret is configured).
+   * Sends a 401/403 response and returns false if authorization fails.
+   * Uses constant-time comparison to prevent timing attacks (GHSA-mxjx-28vx-xjjj).
+   */
+  private checkAuth(req: IncomingMessage, res: ServerResponse): boolean {
+    if (this.secret === null) return true; // no secret configured — allow (backward-compatible)
+    const authHeader = req.headers['authorization'];
+    if (typeof authHeader !== 'string' || !authHeader.startsWith('Bearer ')) {
+      this.sendJson(res, 401, { error: 'Authorization: Bearer <token> required' });
+      return false;
+    }
+    const provided = Buffer.from(authHeader.slice(7));
+    const expected = Buffer.from(this.secret);
+    if (provided.length !== expected.length || !timingSafeEqual(provided, expected)) {
+      this.sendJson(res, 403, { error: 'Forbidden' });
+      return false;
+    }
+    return true;
+  }
+
   private sendJson(res: ServerResponse, status: number, data: unknown): void {
     const body = JSON.stringify(data);
     res.writeHead(status, {
diff --git a/lib/env-manager.ts b/lib/env-manager.ts
@@ -25,12 +25,13 @@ import {
   writeFileSync,
   copyFileSync,
   statSync,
+  lstatSync,
   rmSync,
   openSync,
   closeSync,
   constants,
 } from 'fs';
-import { join, resolve } from 'path';
+import { join, resolve, dirname } from 'path';
 import { randomUUID } from 'crypto';
 
 // ============================================================================
@@ -474,7 +475,15 @@ export class EnvironmentManager {
   restore(env: EnvName, backupId: string): RestoreResult {
     const envDir = this.getDataDir(env);
     const backupsDir = join(envDir, '.backups');
-    const backupPath = join(backupsDir, backupId);
+
+    // Reject IDs with path separators, dots, or other traversal characters (GHSA-48x2-6pr9-2jjf)
+    if (!/^[\w\-]+$/.test(backupId)) {
+      throw new Error(`Invalid backup ID: '${backupId}'`);
+    }
+    const backupPath = resolve(join(backupsDir, backupId));
+    if (dirname(backupPath) !== resolve(backupsDir)) {
+      throw new Error(`Backup ID '${backupId}' would escape the backups directory`);
+    }
 
     if (!existsSync(backupPath)) {
       throw new Error(`Backup '${backupId}' not found for environment '${env}'`);
@@ -531,10 +540,17 @@ export class EnvironmentManager {
     if (all.length <= keep) return 0;
 
     const toDelete = all.slice(keep);
+    const resolvedBackupsDir = resolve(join(this.getDataDir(env), '.backups'));
     let deleted = 0;
     for (const entry of toDelete) {
       try {
-        rmSync(entry.path, { recursive: true, force: true });
+        // Recompute the deletion path from backupId instead of trusting entry.path from
+        // the manifest — a poisoned manifest could set path to '/' and cause arbitrary
+        // recursive deletion (GHSA-2fmp-9rvw-hc96).
+        if (!/^[\w\-]+$/.test(entry.backupId)) continue;
+        const safePath = resolve(join(resolvedBackupsDir, entry.backupId));
+        if (dirname(safePath) !== resolvedBackupsDir) continue;
+        rmSync(safePath, { recursive: true, force: true });
         deleted++;
       } catch { /* ignore */ }
     }
@@ -603,10 +619,11 @@ export class EnvironmentManager {
         const full = join(current, entry);
         const rel = prefix ? `${prefix}/${entry}` : entry;
         try {
-          const info = statSync(full);
+          const info = lstatSync(full); // lstat: never follow symlinks out of backup root (GHSA-6x2m-p4xp-wg22)
+          if (info.isSymbolicLink()) continue; // skip symlinks entirely
           if (info.isDirectory()) {
             walk(full, rel);
-          } else {
+          } else if (info.isFile()) {
             results.push(rel);
           }
         } catch { /* skip */ }
diff --git a/openapi.yaml b/openapi.yaml
@@ -6,7 +6,7 @@ info:
     blackboard coordination, parallel agent spawning, and permission gating
     via AuthGuardian. Requires the companion MCP server:
     `npm install -g network-ai && npx network-ai-server --port 3001`
-  version: 5.12.1
+  version: 5.12.2
   license:
     name: MIT
     url: https://github.com/Jovancoding/Network-AI/blob/main/LICENSE
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "network-ai",
-  "version": "5.12.1",
+  "version": "5.12.2",
   "description": "AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Computer Use, OpenAI Agents SDK, Vertex AI, Pydantic AI, Browser Agent, Hermes, Orchestrator, RLM + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
   "homepage": "https://network-ai.org",
   "main": "dist/index.js",
diff --git a/references/adapter-system.md b/references/adapter-system.md
@@ -2,7 +2,7 @@
 
 ## Overview
 
-The SwarmOrchestrator uses an **adapter pattern** to work with any agent framework. Instead of being locked to one system, you bring your own agents — from any framework — and the orchestrator handles coordination, shared state, permissions, and parallel execution. As of v5.12.1, 29 adapters are included.
+The SwarmOrchestrator uses an **adapter pattern** to work with any agent framework. Instead of being locked to one system, you bring your own agents — from any framework — and the orchestrator handles coordination, shared state, permissions, and parallel execution. As of v5.12.2, 29 adapters are included.
 
 ```
 ┌─────────────────────────────────────────────────────────────┐
diff --git a/skill.json b/skill.json
@@ -1,6 +1,6 @@
 {
   "name": "SwarmOrchestrator",
-  "version": "5.12.1",
+  "version": "5.12.2",
   "description": "Local Python orchestration skill: multi-agent workflows via shared blackboard file, permission gating, token budget scripts, and persistent project context. The bundled Python scripts make no network calls and have zero third-party dependencies. The parent repository also contains a TypeScript engine (not included in this skill bundle). Workflow delegations via the host platform's sessions_send may invoke external model APIs.",
   "author": "Network-AI Community",
   "homepage": "https://network-ai.org",

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "network-ai",`
`3`	`3`	`"description": "Gives Claude Code a multi-agent coordination layer over MCP — an atomic shared blackboard (locked propose/validate/commit), permission gating with HMAC/Ed25519-signed tokens, federated token-budget tracking, and append-only audit-log queries. Backed by an orchestrator with 29 framework adapters (LangChain, AutoGen, CrewAI, and more).",`
`4`		`- "version": "5.12.1",`
	`4`	`+ "version": "5.12.2",`
`5`	`5`	`"author": {`
`6`	`6`	`"name": "OpenClaw Community",`
`7`	`7`	`"url": "https://github.com/Jovancoding/Network-AI"`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# Audit Log Schema — Network-AI v5.12.1`
	`1`	`+# Audit Log Schema — Network-AI v5.12.2`
`2`	`2`
`3`	`3`	`Network-AI writes a JSONL audit trail during permission management and swarm execution. This document describes every field and event type.`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -564,4 +564,4 @@ Run these before declaring the integration production-ready:`
`564`	`564`
`565`	`565`	`---`
`566`	`566`
`567`		`-Network-AI v5.12.1 · MIT License · https://github.com/Jovancoding/Network-AI`
	`567`	`+Network-AI v5.12.2 · MIT License · https://github.com/Jovancoding/Network-AI`