Skip to content

[New Advisory] Arbitrary File Write via Path Traversal in agno LocalFileSystemTools #7253

New issue
New issue
Open
Open
[New Advisory] Arbitrary File Write via Path Traversal in agno LocalFileSystemTools#7253
@hacnho

Description

@hacnho
hacnho
opened on Mar 29, 2026

Advisory Details

Package: agno (pip)
Repository: https://github.com/agno-agi/agno
CWE: CWE-22 (Path Traversal)
Severity: High

Summary

write_file() in LocalFileSystemTools accepts arbitrary directory and filename parameters with zero path validation. Every other file tool class in agno uses _check_path() for path validation, but LocalFileSystemTools was missed.

Details

The write_file() method constructs a file path from user-supplied directory and filename without any validation or path canonicalization. An attacker can supply ../../etc/cron.d/ as directory and write arbitrary files anywhere on the filesystem.

Other file tool classes in the codebase (e.g., S3Tools, GCSTools) implement _check_path() to prevent path traversal, but LocalFileSystemTools lacks this check entirely.

PoC

  1. Initialize LocalFileSystemTools with base_dir="/app/data"
  2. Call write_file(directory="../../etc/cron.d", filename="backdoor", content="* * * * * root /tmp/shell.sh")
  3. File is written to /etc/cron.d/backdoor — path traversal escapes base_dir

Impact

Arbitrary file write on the host filesystem. Can lead to remote code execution via cron jobs, SSH authorized_keys, or overwriting application config.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions