CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-RH99-WC69-C255

GHSA-RH99-WC69-C255: CopyFile Policy Subversion via Symlinks in Edgeless Systems Contrast

Alon Barad
Alon Barad
Software Engineer

May 1, 2026·5 min read·24 visits

Executive Summary (TL;DR)

Contrast CLI versions prior to v1.19.1 generate insecure policies for the Kata Containers agent. An attacker can use symbolic links to bypass CopyFile restrictions, accessing unauthorized files within the confidential virtual machine. Upgrading to v1.19.1 and regenerating policies remediates the issue.

The Edgeless Systems Contrast CLI contains a high-severity vulnerability in its policy generation logic for the Kata Containers agent. It fails to properly restrict symbolic link resolution during CopyFile operations, allowing attackers to subvert container isolation policies and exfiltrate sensitive data from the Trusted Execution Environment (TEE).

Vulnerability Overview

GHSA-RH99-WC69-C255 is a high-severity vulnerability within the Edgeless Systems Contrast CLI. Contrast is a specialized tool utilized for deploying and managing confidential containers within Kubernetes environments. The vulnerability affects the policy generation mechanism responsible for configuring the Kata Containers agent.

The core issue resides in the subversion of the CopyFile policy through improper handling of symbolic links. The generated policies fail to enforce strict path resolution during file operations. This failure permits an attacker to bypass intended directory restrictions.

The impact of this vulnerability is a direct compromise of the Trusted Execution Environment (TEE) isolation. Attackers can leverage this flaw to exfiltrate sensitive data from the host or protected Confidential Virtual Machine (CVM) partitions. The vulnerability necessitates immediate remediation through CLI upgrades and policy regeneration.

Technical Root Cause Analysis

The vulnerability exists in the policy generation module of the Contrast CLI. Contrast produces security policies that dictate the permissible operations for the Kata Containers agent running inside a CVM. Among these operations is CopyFile, which controls file transfers within the environment.

The implementation fails to adequately restrict or resolve symbolic links during the validation phase of the CopyFile operation. When the Kata agent enforces the generated policy, it evaluates the file path provided by the requester against the allowed path patterns.

Because the generated policy lacks explicit directives to reject or safely resolve symlinks, an attacker can exploit a Time-of-Check Time-of-Use (TOCTOU) condition (CWE-59). The agent verifies the permissions of the symlink object itself, but the subsequent system call executes the copy operation on the underlying target file.

Policy Generation Logic

The vulnerable logic in versions prior to v1.19.1 generates a policy configuration that implicitly allows symlink resolution during file operations. The policy enforcement relies on standard path matching without requiring absolute path resolution prior to the operation.

In a vulnerable configuration, the Kata agent receives a policy that permits CopyFile operations within a specific directory scope (e.g., /allowed/directory/*). The policy engine does not include a mechanism to distinguish between standard files and symbolic links pointing outside this scope.

The fix introduced in version 1.19.1 modifies the policy generation logic. The patched CLI now generates policies with stricter path constraints, instructing the Kata agent to either validate the absolute, resolved path of the target file or to reject symlinks entirely for the CopyFile operation.

> [!NOTE] > Upgrading the CLI alone does not fix running containers. The vulnerability resides in the generated policy artifact, meaning existing policies must be explicitly regenerated using the patched CLI version to mitigate the flaw.

Exploitation Mechanics

Exploitation requires an attacker to have established a presence within the confidential container environment with sufficient privileges to create symbolic links. The attacker provisions a symlink within an allowed directory structure that points to an unauthorized, sensitive file located elsewhere on the filesystem.

Upon triggering the CopyFile operation through the Kata agent API, the agent reads the generated policy. The agent validates the path to the attacker-created symlink. Because the symlink is located within a permitted directory, the validation check passes.

During the execution phase, the agent's underlying file system call traverses the symlink. The operation succeeds, copying the sensitive target file instead of the symlink object itself. This mechanism allows the attacker to project the contents of restricted files into an accessible location.

Impact on Confidential Environments

In a confidential computing environment, security relies entirely on the integrity of the policies enforced by the agent. Subverting the CopyFile policy breaches the isolation boundary that separates the container workload from the underlying infrastructure.

By exploiting this vulnerability, an attacker can exfiltrate sensitive data. This includes accessing secrets mounted on the host, configuration files, or other protected areas of the CVM that were intended to be strictly isolated from the containerized application.

This flaw fundamentally circumvents the least privilege model. It compromises the primary value proposition of confidential computing by allowing unauthorized data access within the Trusted Execution Environment (TEE), rendering the hardware-level encryption and isolation guarantees ineffective against an internal threat.

Remediation and Redeployment

The primary mitigation requires upgrading the Contrast CLI and re-generating the Kata agent policies. Organizations must update their local CLI tools to version v1.19.1 or later to access the corrected policy generation logic.

After upgrading the CLI, administrators must generate new security policies for all confidential container workloads. The patched CLI will output policies that properly restrict symlink resolution during file operations.

Finally, the affected confidential containers must be redeployed. The Kata agent requires the newly generated policy files to enforce the correct security posture. Running workloads will remain vulnerable until they are restarted with the updated policies.

Official Patches

Edgeless SystemsFix Release v1.19.1

Technical Appendix

CVSS Score
8.4/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Affected Systems

Edgeless Systems Contrast CLIKata Containers Agent

Affected Versions Detail

Product
Affected Versions
Fixed Version
Contrast CLI
Edgeless Systems
< 1.19.1v1.19.1
AttributeDetail
CWE IDCWE-59
Attack VectorLocal Container Execution
CVSS Score8.4
ImpactData Exfiltration, Policy Bypass
Exploit StatusNo public PoC
RemediationUpgrade CLI and Regenerate Policies

MITRE ATT&CK Mapping

T1611Escape to Host
Privilege Escalation
T1083File and Directory Discovery
Discovery
CWE-59
Improper Link Resolution Before File Access ('Link Following')

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Vulnerability Timeline

Vulnerability disclosed in the GitHub Advisory Database
2026-04-23
Fix released in v1.19.1 of edgelesssys/contrast
2026-04-23

References & Sources

  • [1]GitHub Advisory: GHSA-RH99-WC69-C255
  • [2]Fix Release v1.19.1
  • [3]Aliyun Vulnerability Database
  • [4]Contrast CLI Package Repository

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•3 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
19 views•6 min read
•4 days ago•CVE-2026-55700
7.1

CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.

Alon Barad
Alon Barad
13 views•4 min read
•4 days ago•GHSA-WW5P-J6CJ-6MQQ
5.5

GHSA-WW5P-J6CJ-6MQQ: Credential Exposure in Nezha Dashboard DDNS and Notification APIs

GHSA-WW5P-J6CJ-6MQQ is a technical credential exposure vulnerability in Nezha Dashboard prior to version 2.2.5. The vulnerability allows authenticated administrative users or actors possessing scoped read-only Personal Access Tokens (PATs) to exfiltrate plaintext third-party API credentials, secret keys, and webhook authorization headers due to a lack of data redaction during API object serialization.

Amit Schendel
Amit Schendel
10 views•7 min read
•4 days ago•GHSA-FR4H-3CPH-29XV
7.1

GHSA-FR4H-3CPH-29XV: Path Traversal and Directory Hijacking in pnpm and pacquet Dependency Resolution

GHSA-FR4H-3CPH-29XV is a high-severity path traversal vulnerability in pnpm and its Rust-based port pacquet. The flaw manifests when using the hoisted node-linker configuration, allowing an attacker to manipulate the lockfile to resolve relative traversal sequences or target reserved subdirectories, leading to arbitrary file write or execution hijacking.

Amit Schendel
Amit Schendel
9 views•8 min read
•4 days ago•GHSA-72R4-9C5J-MJ57
7.1

GHSA-72R4-9C5J-MJ57: Arbitrary File Deletion via Path Traversal in pnpm patch-remove

A path traversal vulnerability in the pnpm package manager's 'patch-remove' command allows an attacker to delete arbitrary files outside the patches directory. By manipulating configuration files like package.json, an attacker can specify a traversal path that the application deletes recursively without validating the path's containment.

Alon Barad
Alon Barad
9 views•5 min read
•4 days ago•GHSA-QRV3-253H-G69C
8.3

GHSA-QRV3-253H-G69C: Path Traversal and Arbitrary Symlink Creation via configDependencies in pnpm

A high-severity path traversal vulnerability exists in the pnpm package manager. By crafting a malicious lockfile (pnpm-lock.yaml) with path traversal characters in the configDependencies block, an attacker can create arbitrary directories and symlinks outside the project's node_modules/.pnpm-config directory. This exploitation happens automatically during pnpm installation, even when executing with scripts disabled via the --ignore-scripts flag.

Amit Schendel
Amit Schendel
10 views•7 min read