CVE-2026-4092: Arbitrary File Write via Path Traversal in Google Clasp

Google Clasp (@google/clasp) is the official command-line utility used by developers to manage Google Apps Script projects locally. The tool handles the synchronization of script files between the local filesystem and the remote Google Apps Script infrastructure. It relies on the Google Apps Script API to fetch project metadata and file contents during cloning or pulling operations.

CVE-2026-4092 identifies a critical path traversal vulnerability within the file synchronization mechanism of Clasp versions prior to 3.2.0. The vulnerability stems from the improper sanitization of remote filenames retrieved via the API. When a developer synchronizes a remote project, the tool fails to validate whether the remote filenames contain directory traversal sequences.

This improper input validation exposes developers to arbitrary file write attacks. An attacker can craft a malicious Google Apps Script project containing files named with traversal characters. When a victim clones or pulls this project, the malicious files are written to arbitrary locations on the victim's local filesystem, potentially resulting in remote code execution.

The root cause of CVE-2026-4092 lies in the fetchRemote function located within src/core/files.ts. This function maps the logical file structure returned by the Google Apps Script API to the physical local filesystem. The core logic retrieves the file name property directly from the remote API response and uses it to construct the local file path.

The Node.js path.resolve() function is utilized to compute the final absolute path by joining the intended project content directory with the remote filename. Because path.resolve() actively interprets traversal sequences such as ../ and absolute paths, any untrusted input passed into this function can alter the base directory resolution. The vulnerable implementation performs this operation without any prior sanitization of the remote filename.

Consequently, the application assumes that the remote API will only return safe, properly scoped filenames. This trust assumption is flawed, as the Google Apps Script platform allows users to define custom filenames within their projects. By manipulating these filenames, an attacker dictates the exact file path where Clasp will write the downloaded file content on the target system.

The vulnerable implementation of the path resolution logic directly concatenated the content directory with the unsanitized filename. The resulting path was then processed by path.relative to compute the destination for the file write operation.

// Vulnerable implementation snippet
const ext = getFileExtension(f.type, fileExtensionMap);
const localPath = path.relative(process.cwd(), path.resolve(contentDir, `${f.name}${ext}`));

The patch introduced in PR #1109 addresses this flaw by implementing a strict boundary check. A new helper function named isInside was added to verify that the final resolved path strictly resides within the intended project directory. This function evaluates the relative path between the parent directory and the requested child path.

// Patched implementation snippet
function isInside(parentPath: string, childPath: string): boolean {
  const relative = path.relative(parentPath, childPath);
  return (
    relative !== '' &&
    !relative.startsWith('..') &&
    !path.isAbsolute(relative)
  );
}

The fetchRemote function now applies this validation before writing any data. If the isInside check fails, the application aborts the operation and throws a security error. This ensures that even if path.resolve() computes a path outside the working directory, the file system operation is blocked.

Exploitation of CVE-2026-4092 requires user interaction, specifically the execution of clasp clone or clasp pull commands. The attacker must first construct a malicious Google Apps Script project. Within this project, the attacker renames one or more files to include directory traversal sequences, targeting specific sensitive files on standard operating systems.

For example, an attacker might name a file ../../../../.ssh/authorized_keys and populate its contents with their own public SSH key. The attacker then shares this project publicly or targets specific developers through social engineering, encouraging them to clone the repository for collaboration or review.

When the victim executes clasp clone <scriptId>, the tool queries the Google Apps Script API and retrieves the malicious file metadata. The vulnerable fetchRemote function processes the traversal sequence, escapes the project directory boundary, and overwrites the specified system file with the attacker's payload.

The primary impact of this path traversal vulnerability is arbitrary file write in the context of the user running the Clasp utility. Because developers frequently run Clasp under their primary user account, the tool typically possesses read and write access to the user's home directory. This allows an attacker to overwrite critical configuration files, user profiles, or credentials.

Arbitrary file write frequently leads to remote code execution (RCE) on developer workstations. An attacker can achieve RCE by overwriting shell configuration files such as .bashrc or .zshrc, adding SSH keys to authorized_keys, or modifying execution paths. When the user subsequently opens a terminal or logs into their machine, the malicious payload executes.

The CVSS v4.0 score of 8.7 reflects the high severity of the confidentiality, integrity, and availability impacts. While the attack vector requires user interaction, the exploitation complexity is extremely low. Attackers do not need to bypass memory mitigations or craft complex network payloads; they only require the victim to synchronize a specifically structured project.

To mitigate CVE-2026-4092, organizations and individual developers must update their @google/clasp installations to version 3.2.0 or higher. The update can be applied globally using the Node Package Manager via the command npm install -g @google/clasp@latest. This version includes the strict boundary validation required to prevent traversal attacks.

In environments where immediate patching is not feasible, developers must exercise strict operational hygiene. Users should only clone or pull Google Apps Script projects from fully trusted sources. Auditing the contents of a project via the Google Apps Script web interface prior to synchronizing it locally can help identify malicious filenames.

Running development tools with the principle of least privilege provides an additional layer of defense. Executing Clasp within an isolated container or a dedicated development user account restricts the impact of an arbitrary file write. If a traversal occurs within an isolated environment, the attacker is prevented from modifying the host system's primary user configuration files.