network-ai@5.12.0

AI agent orchestration framework for TypeScript/Node.js - 32 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, OpenAI Responses, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGrap

  • latest version

    5.15.0

  • latest non vulnerable version

  • first published

    5 months ago

  • latest version published

    10 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the network-ai package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Relative Path Traversal

    network-ai is an AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Compu

    Affected versions of this package are vulnerable to Relative Path Traversal via the restore function. An attacker can copy arbitrary directories from outside the intended backup location into environment data directories by supplying a crafted backup ID containing path traversal sequences. This can result in exposure of sensitive files, overwriting of configuration files, and compromise of environment isolation, depending on the files present and process filesystem permissions.

    How to fix Relative Path Traversal?

    Upgrade network-ai to version 5.12.2 or higher.

    <5.12.2
    • M
    Symlink Attack

    network-ai is an AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Compu

    Affected versions of this package are vulnerable to Symlink Attack via the backup process. An attacker can access sensitive files outside the intended directory by placing a symbolic link within the environment data directory, causing the backup operation to include files from outside the environment root.

    How to fix Symlink Attack?

    Upgrade network-ai to version 5.12.2 or higher.

    <5.12.2
    • M
    Relative Path Traversal

    network-ai is an AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Compu

    Affected versions of this package are vulnerable to Relative Path Traversal through improper path containment checks in the resolvePath and isPathAllowed functions. An attacker can access files outside the intended sandbox directory by supplying paths that share a prefix with the sandbox base path, such as sibling directories, thereby bypassing the sandbox boundary and reading or listing sensitive files.

    How to fix Relative Path Traversal?

    Upgrade network-ai to version 5.12.2 or higher.

    <5.12.2
    • M
    Missing Authorization

    network-ai is an AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Compu

    Affected versions of this package are vulnerable to Missing Authorization via the ApprovalInbox HTTP server, which lacks authentication and sets a wildcard CORS policy on all routes. An attacker can enumerate and approve pending high-risk actions by sending crafted HTTP requests, including cross-origin requests from a malicious website or direct network access. This allows execution of sensitive operations without legitimate user consent.

    How to fix Missing Authorization?

    Upgrade network-ai to version 5.12.2 or higher.

    >=5.0.0 <5.12.2
    • M
    External Control of File Name or Path

    network-ai is an AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Compu

    Affected versions of this package are vulnerable to External Control of File Name or Path via the pruneBackups process. An attacker can cause arbitrary recursive deletion of files and directories accessible to the process user by placing or modifying a crafted _manifest.json file with a malicious path field. This can result in deletion of important project files or data directories, leading to data loss and service disruption. This is only exploitable if the attacker has write access to the application's data directory.

    How to fix External Control of File Name or Path?

    Upgrade network-ai to version 5.12.2 or higher.

    <5.12.2