CVE-2026-46383: Arbitrary File Overwrite via Path Traversal (TarSlip) in Microsoft APM

Microsoft APM functions as an open-source dependency manager designed specifically for AI agents. The tool allows users to install modules and plugins, frequently distributed as .tar.gz archives, via the apm install <bundle> command. To support backward compatibility, APM implements a probing phase that extracts the contents of a local archive to a temporary directory to check for the presence of a legacy apm.lock.yaml file.

The vulnerability, tracked as CVE-2026-46383, occurs during this probing phase. The extraction logic utilizes the standard Python tarfile library without adequate path sanitization for Windows environments. This oversight results in an arbitrary file overwrite vulnerability, commonly referred to as a "TarSlip" attack.

Because the extraction happens before the bundle's format is validated, the malicious payload is executed regardless of whether the bundle is ultimately accepted as valid. This path traversal vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path).

The fundamental flaw lies in how the tarfile.extractall() method handles archive members and how Python's os.path.join() interacts with absolute paths on Windows operating systems. By default, tarfile in Python versions prior to 3.12 does not sanitize member names that contain absolute paths or UNC paths.

When tarfile extracts a member, it appends the member's stored path to the target extraction directory using os.path.join(). On Windows, if os.path.join() encounters an absolute path component (e.g., D:/path or \\server\share), it discards all preceding path components. Consequently, an expression like os.path.join('C:/temp/apm_probe', 'D:/evil/startup.bat') resolves directly to D:/evil/startup.bat.

The APM legacy-bundle probe extracts the entire archive contents unconditionally to check for a single lock file. This unrestricted extraction passes attacker-controlled absolute paths directly to the vulnerable os.path.join() operation. The operation completely bypasses the intended temporary directory boundary, resulting in arbitrary file writes anywhere the executing user has permissions.

The vulnerability was mitigated in version 0.13.0 through commit 77d1dda8303c8d7ccb6148788a6274fdece98499. The patch introduces a comprehensive pre-extraction validation loop that inspects every archive member before any data is written to disk.

# src/apm_cli/bundle/local_bundle.py
for member in tar.getmembers():
    name = member.name
    if (
        name.startswith("/")
        or PureWindowsPath(name).drive
        or PureWindowsPath(name).is_absolute()
    ):
        return False # Reject Windows absolute paths
    try:
        validate_path_segments(name, context="tar member")
    except PathTraversalError:
        return False

The patched code uses pathlib.PureWindowsPath to accurately parse Windows-specific path semantics regardless of the host OS. It explicitly rejects any archive member where a drive letter (.drive) is specified or where the path is determined to be absolute (.is_absolute()).

Additionally, the code now invokes a validate_path_segments utility to detect and block relative traversal sequences, such as ... For environments running Python 3.12 or newer, the patch also implements the native filter="data" argument in tar.extractall(), as recommended by PEP 706, providing an additional layer of runtime protection against TarSlip attacks.

Exploitation requires social engineering or supply chain poisoning, as the victim must be induced to download and install a crafted archive. The attacker first generates a malicious .tar.gz file containing a member named with a Windows absolute path, such as C:/Users/Public/startup.bat.

The victim executes the command apm install malicious.tar.gz in their local environment. APM begins the installation process by entering the legacy-bundle probe phase, creating a temporary directory for extraction.

During extraction, the tarfile module reads the absolute path from the archive member. The os.path.join() function resolves the extraction path to the attacker's specified absolute path, ignoring the temporary directory base. The file is then written, overwriting any existing file or placing a new file at the specified location.

A successful exploit allows the attacker to write or overwrite arbitrary files on the victim's filesystem with the privileges of the user executing the apm install command. The CVSS v3.1 base score of 5.5 reflects the local attack vector, the requirement for user interaction, and the high impact to data integrity.

If the victim runs APM with administrative privileges, the attacker can overwrite critical system files or drop persistent malware into startup directories. Even under standard user privileges, an attacker can modify user-specific configuration files, overwrite SSH keys, or manipulate localized startup scripts to achieve code execution on the next login.

The vulnerability does not directly impact system availability or confidentiality according to the CVSS vector. The primary consequence is unauthorized data modification, which serves as a stepping stone for further local exploitation and persistence mechanisms.

The primary remediation for CVE-2026-46383 is to upgrade the microsoft/apm package to version 0.13.0 or later. This version contains the logic required to safely validate archive members prior to extraction on all supported platforms.

As a defense-in-depth measure, users should run APM on Python 3.12 or newer. Python 3.12 introduces native protections against TarSlip vulnerabilities via the filter parameter in tarfile.extractall(). The patched version of APM leverages this feature automatically when the modern runtime is detected.

Users who cannot immediately upgrade should strictly avoid installing APM bundles or plugins from unverified third-party sources. Administrators should also enforce least privilege principles, ensuring that the user account executing apm install does not possess administrative rights, thereby limiting the scope of any potential file overwrites.