@evomap/evolver 1.68.0-beta.1

Direct Vulnerabilities

Known vulnerabilities in the @evomap/evolver package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Command Injection @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Command Injection via the `runInSandbox` function. An attacker can execute arbitrary code with the privileges of the validator process by supplying malicious `validation_commands` from a compromised or intercepted Hub response, which are then executed without adequate validation or isolation. How to fix Command Injection? Upgrade `@evomap/evolver` to version 1.70.0-beta.5 or higher.	<1.70.0-beta.5
M Allocation of Resources Without Limits or Throttling @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `parseBody` function and the `/asset/submit` and `/mailbox/send` routes, which do not enforce limits on request body size or payload content. An attacker can exhaust disk space and cause persistent service outages by repeatedly sending large requests, leading to out-of-memory conditions and crashes on service restart. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `@evomap/evolver` to version 1.70.0-beta.5 or higher.	<1.70.0-beta.5
H External Control of File Name or Path @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets. Affected versions of this package are vulnerable to External Control of File Name or Path via the `fetch` subcommand. An attacker can overwrite arbitrary files in the user's working directory, including executable scripts and configuration files, by supplying a crafted `skill_id` value and malicious file content from a remote Hub. This can result in execution of attacker-controlled code with the privileges of the victim when the overwritten files are subsequently run. How to fix External Control of File Name or Path? Upgrade `@evomap/evolver` to version 1.70.0-beta.5 or higher.	<1.70.0-beta.5
H Prototype Pollution @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Prototype Pollution via the `Object.assign` process in mailbox store operations. An attacker can modify the prototype of all JavaScript objects, potentially bypassing authentication checks, manipulating application logic, or causing denial of service by injecting malicious properties through crafted entries in the `messages.jsonl` file. Note: This is only exploitable if the attacker has write access to the mailbox messages file. How to fix Prototype Pollution? Upgrade `@evomap/evolver` to version 1.69.1 or higher.	<1.69.1
H Directory Traversal @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Directory Traversal via the `--out` flag in the `fetch` call. An attacker can overwrite or create files in arbitrary locations on the filesystem by supplying crafted path values, potentially leading to system compromise or privilege escalation. How to fix Directory Traversal? Upgrade `@evomap/evolver` to version 1.69.1 or higher.	<1.69.1
C Command Injection @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Command Injection via the `_extractLLM` function. An attacker can execute arbitrary shell commands on the server by supplying crafted input to the `corpus` parameter, which is incorporated into a shell command without proper sanitization and executed using `execSync`. This can result in full system compromise, data exfiltration, or installation of malware by injecting shell metacharacters or command substitution syntax. How to fix Command Injection? Upgrade `@evomap/evolver` to version 1.69.1 or higher.	<1.69.1

Vulnerability

Vulnerable Version

Command Injection

@evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.

Affected versions of this package are vulnerable to Command Injection via the runInSandbox function. An attacker can execute arbitrary code with the privileges of the validator process by supplying malicious validation_commands from a compromised or intercepted Hub response, which are then executed without adequate validation or isolation.

How to fix Command Injection?

Upgrade @evomap/evolver to version 1.70.0-beta.5 or higher.

<1.70.0-beta.5

Allocation of Resources Without Limits or Throttling

@evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parseBody function and the /asset/submit and /mailbox/send routes, which do not enforce limits on request body size or payload content. An attacker can exhaust disk space and cause persistent service outages by repeatedly sending large requests, leading to out-of-memory conditions and crashes on service restart.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade @evomap/evolver to version 1.70.0-beta.5 or higher.

<1.70.0-beta.5

External Control of File Name or Path

@evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.

Affected versions of this package are vulnerable to External Control of File Name or Path via the fetch subcommand. An attacker can overwrite arbitrary files in the user's working directory, including executable scripts and configuration files, by supplying a crafted skill_id value and malicious file content from a remote Hub. This can result in execution of attacker-controlled code with the privileges of the victim when the overwritten files are subsequently run.

How to fix External Control of File Name or Path?

Upgrade @evomap/evolver to version 1.70.0-beta.5 or higher.

<1.70.0-beta.5

Prototype Pollution

@evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.

Affected versions of this package are vulnerable to Prototype Pollution via the Object.assign process in mailbox store operations. An attacker can modify the prototype of all JavaScript objects, potentially bypassing authentication checks, manipulating application logic, or causing denial of service by injecting malicious properties through crafted entries in the messages.jsonl file.

Note: This is only exploitable if the attacker has write access to the mailbox messages file.

How to fix Prototype Pollution?

Upgrade @evomap/evolver to version 1.69.1 or higher.

<1.69.1

Directory Traversal

@evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.

Affected versions of this package are vulnerable to Directory Traversal via the --out flag in the fetch call. An attacker can overwrite or create files in arbitrary locations on the filesystem by supplying crafted path values, potentially leading to system compromise or privilege escalation.

How to fix Directory Traversal?

Upgrade @evomap/evolver to version 1.69.1 or higher.

<1.69.1

Command Injection

@evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.

Affected versions of this package are vulnerable to Command Injection via the _extractLLM function. An attacker can execute arbitrary shell commands on the server by supplying crafted input to the corpus parameter, which is incorporated into a shell command without proper sanitization and executed using execSync. This can result in full system compromise, data exfiltration, or installation of malware by injecting shell metacharacters or command substitution syntax.

How to fix Command Injection?

Upgrade @evomap/evolver to version 1.69.1 or higher.

<1.69.1

@evomap/evolver@1.68.0-beta.1

A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically