v5.12.2 — Security patch (5 CVEs)
Security patch fixing 5 reported vulnerabilities in EnvironmentManager, SandboxPolicy, and ApprovalInbox.
Security fixes
GHSA-6x2m-p4xp-wg22 (Moderate) — EnvironmentManager.backup() symlink escape
_collectBackupFiles()now useslstatSyncand skips entries whereisSymbolicLink()is true. Symlinks are never followed, preventing backup from reading files outside the environment root.
GHSA-48x2-6pr9-2jjf (Moderate) — EnvironmentManager.restore() backup ID path traversal
restore()validatesbackupIdagainst/^[\w\-]+$/and assertsdirname(backupPath) === resolve(backupsDir)before any filesystem access. IDs like../../etcare rejected immediately.
GHSA-2fmp-9rvw-hc96 (High) — Poisoned backup manifest arbitrary recursive deletion
pruneBackups()no longer usesentry.pathfrom the manifest forrmSync. The deletion path is recomputed fromentry.backupIdafter format validation, and adirnamecheck enforces exactly one level of depth under the backups directory. A poisoned"path": "/"in a manifest is now harmless.
GHSA-jvcm-f35g-w78p (Moderate) — AgentRuntime sandbox path-prefix bypass
SandboxPolicy.resolvePath()andisPathAllowed()now use sep-anchored prefix checks (basePath + sep). The previous barestartsWith(basePath)check allowed/foo/barextrato match basePath/foo/bar.
GHSA-mxjx-28vx-xjjj (Moderate) — ApprovalInbox HTTP server unauthenticated
- New
secretoption onApprovalInboxOptions. When set,POST /:id/approveandPOST /:id/denyrequireAuthorization: Bearer <secret>. Validation usestimingSafeEqual(constant-time) to prevent timing oracle attacks.startServer()continues to default to127.0.0.1(loopback only).
Changed
- Version bump 5.12.1 -> 5.12.2 across all manifests and documentation headers.
Install: npm install network-ai@5.12.2 -- Published to npm with provenance.
Upgrading from 5.12.1: No breaking changes. The ApprovalInbox secret option is opt-in; existing deployments without a secret continue to work (backward-compatible but unauthenticated -- set a secret for any network-exposed instance).