{"url":"http://public2.vulnerablecode.io/api/packages/984078?format=json","purl":"pkg:npm/%40tinacms/graphql@0.0.0-d9ccf29-20251222052725","type":"npm","namespace":"@tinacms","name":"graphql","version":"0.0.0-d9ccf29-20251222052725","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.2.2","latest_non_vulnerable_version":"2.2.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90873?format=json","vulnerability_id":"VCID-bst2-cn5c-8bfk","summary":"@tinacms/graphql has a Path Traversal issue\n### Description\n\nTinaCMS allows users to create, update, and delete content documents using relative file paths (`relativePath`, `newRelativePath`) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using `path.join()` without validating that the resolved path remains within the collection root directory.\n\nBecause `path.join()` does not prevent directory traversal, paths containing `../` sequences can escape the intended directory boundary.\n\n### Attack Vectors\n\n1. **File Creation**: Create files outside the collection directory\n   ```graphql\n   createDocument(\n     collection: \"post\"\n     relativePath: \"../../config/malicious.md\"\n     params: { post: { title: \"malicious\" } }\n   )\n   ```\n\n2. **File Move/Rename**: Move existing files outside the collection\n   ```graphql\n   updateDocument(\n     collection: \"post\"\n     relativePath: \"existing.md\"\n     params: { relativePath: \"../../stolen.md\" }\n   )\n   ```\n\n3. **File Deletion**: Delete files outside the collection\n   ```graphql\n   deleteDocument(\n     collection: \"post\"\n     relativePath: \"../../important-config.md\"\n   )\n   ```\n\n4. **Folder Creation**: Create folders outside the collection\n   ```graphql\n   createFolder(\n     collection: \"post\"\n     relativePath: \"../../malicious-folder\"\n   )\n   ```\n\n## Impact\n\nAn authenticated user with document mutation permissions can:\n\n- **Create content files** outside collection boundaries (subject to schema validation)\n- **Move or rename files** outside collection boundaries\n- **Delete content files** outside collection boundaries\n- **Read file contents** via document retrieval mutations\n\n## Mitigating Factors\n\nSeveral constraints limit the practical impact of this vulnerability:\n\n1. **Schema Validation**: Created/updated content must conform to the collection's GraphQL schema. Attackers cannot write arbitrary file content—the `params` argument is validated against the generated mutation types (e.g., `PostMutation`).\n\n2. **Authentication Required**: Exploitation requires authenticated access with CMS editor permissions. Anonymous users cannot access GraphQL mutations.\n\n3. **Git Tracking**: In typical deployments, all file operations are tracked in git (either via GitHub API for Tina Cloud/self-hosted with GitProvider, or local filesystem changes). Malicious changes are visible in version control and can be reverted.\n\n### What This Vulnerability Does NOT Allow\n\n- Writing arbitrary file content (content is schema-validated)\n- Silent/untracked file modifications (changes appear in git)\n- Unauthenticated access\n\n## Proof of Concept\n\nSee `packages/@tinacms/graphql/tests/path-traversal-security/index.test.ts` for automated tests demonstrating the vulnerability.\n\nManual reproduction:\n```bash\nnode -e \"\nconst path = require('path');\n\nconst collectionPath = 'content/posts';\nconst maliciousRelativePath = '../../OUTSIDE/poc.md';\n\nconst realPath = path.join(collectionPath, maliciousRelativePath);\nconsole.log('Resolved path:', realPath);\n// Output: OUTSIDE/poc.md (escaped content/posts)\n\"\n```","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24125","reference_id":"","reference_type":"","scores":[{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.26068","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.2617","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.26162","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.26117","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.26061","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24125"},{"reference_url":"https://github.com/tinacms/tinacms","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinacms/tinacms"},{"reference_url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T17:54:30Z/"}],"url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24125","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24125"},{"reference_url":"https://github.com/advisories/GHSA-2238-xc5r-v9hj","reference_id":"GHSA-2238-xc5r-v9hj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2238-xc5r-v9hj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112769?format=json","purl":"pkg:npm/%40tinacms/graphql@2.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n113-nq2s-5yg3"},{"vulnerability":"VCID-uxsf-y8p8-1fcf"},{"vulnerability":"VCID-yujv-ty5w-fkhm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.1.2"}],"aliases":["CVE-2026-24125","GHSA-2238-xc5r-v9hj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bst2-cn5c-8bfk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90112?format=json","vulnerability_id":"VCID-n113-nq2s-5yg3","summary":"@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions\n## Summary\n\n`@tinacms/cli` recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets.\n\nIf a link already exists under the media root, Tina accepts a path like `pivot/written-from-media.txt` as \"inside\" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete.\n\n## Details\n\nThe dev media handlers validate user-controlled paths with:\n\n```ts\nfunction resolveWithinBase(userPath: string, baseDir: string): string {\n  const resolvedBase = path.resolve(baseDir);\n  const resolved = path.resolve(path.join(baseDir, userPath));\n  if (resolved === resolvedBase) {\n    return resolvedBase;\n  }\n  if (resolved.startsWith(resolvedBase + path.sep)) {\n    return resolved;\n  }\n  throw new PathTraversalError(userPath);\n}\n\nfunction resolveStrictlyWithinBase(userPath: string, baseDir: string): string {\n  const resolvedBase = path.resolve(baseDir) + path.sep;\n  const resolved = path.resolve(path.join(baseDir, userPath));\n  if (!resolved.startsWith(resolvedBase)) {\n    throw new PathTraversalError(userPath);\n  }\n  return resolved;\n}\n```\n\nBut the validated path is then used directly for real filesystem access:\n\n```ts\nfilesStr = await fs.readdir(validatedPath);\n...\nawait fs.ensureDir(path.dirname(saveTo));\nfile.pipe(fs.createWriteStream(saveTo));\n...\nawait fs.remove(file);\n```\n\nThis does not account for symlinks/junctions already present below the media root. A path such as `pivot/secret.txt` can be lexically inside the media directory while the filesystem target is outside it.\n\n## Local Reproduction\n\nI verified this locally with a real junction on Windows.\n\nTest layout:\n\n- media root: `D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\public\\uploads`\n- junction under media root: `public\\uploads\\pivot -> D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\outside`\n- file outside the media root: `outside\\secret.txt`\n\nTina's current media-path validation logic was applied and used to perform the same list/write operations the route handlers use.\n\nObserved result:\n\n```json\n{\n  \"media\": {\n    \"base\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\public\\\\uploads\",\n    \"resolvedListPath\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\public\\\\uploads\\\\pivot\",\n    \"listedEntries\": [\n      \"secret.txt\"\n    ],\n    \"resolvedWritePath\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\public\\\\uploads\\\\pivot\\\\written-from-media.txt\",\n    \"outsideWriteExists\": true,\n    \"outsideWriteContents\": \"MEDIA_ESCAPE\"\n  }\n}\n```\n\nThis shows the problem clearly:\n\n- the path validator accepted `pivot`\n- listing revealed a file from outside the media root\n- writing to `pivot/written-from-media.txt` created `outside\\written-from-media.txt`\n\nThe delete path uses the same flawed containment model and should be hardened at the same time.\n\n## Impact\n\n- **Out-of-root file listing** via `/media/list/...`\n- **Out-of-root file write** via `/media/upload/...`\n- **Likely out-of-root file delete** via `/media/...` `DELETE`, using the same path-validation gap\n- **Bypass of the recent path traversal hardening** for any deployment whose media tree contains a link to another location\n\nThis is especially relevant in development and self-hosted workflows where the media directory may contain symlinks or junctions intentionally or via repository content.\n\n## Recommended Fix\n\nHarden media path validation with canonical filesystem checks:\n\n1. resolve the real base path with `fs.realpath()`\n2. resolve the real target path, or for writes the nearest existing parent\n3. compare canonical paths rather than lexical strings\n4. reject any operation that traverses through a symlink/junction to leave the real media root\n\n`path.resolve(...).startsWith(...)` is not sufficient for filesystem security on linked paths.\n\n## Resources\n\n- `packages/@tinacms/cli/src/next/commands/dev-command/server/media.ts`\n- `packages/@tinacms/cli/src/server/models/media.ts`\n- `packages/@tinacms/cli/src/utils/path.ts`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34603","reference_id":"","reference_type":"","scores":[{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.25021","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.25033","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24968","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.27314","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.27305","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34603"},{"reference_url":"https://github.com/tinacms/tinacms","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinacms/tinacms"},{"reference_url":"https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:52:31Z/"}],"url":"https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"},{"reference_url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:52:31Z/"}],"url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34603","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34603"},{"reference_url":"https://github.com/advisories/GHSA-g87c-r2jp-293w","reference_id":"GHSA-g87c-r2jp-293w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g87c-r2jp-293w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111322?format=json","purl":"pkg:npm/%40tinacms/graphql@2.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.2.2"}],"aliases":["CVE-2026-34603","GHSA-g87c-r2jp-293w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n113-nq2s-5yg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91707?format=json","vulnerability_id":"VCID-uxsf-y8p8-1fcf","summary":"@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files\n### Summary\nA Path Traversal vulnerability in `@tinacms/graphql` allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the `relativePath` parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build scripts.\n\n### Details\nThe vulnerability exists in the path validation logic within `@tinacms/graphql`. Specifically, the regex-based validation in `getValidatedPath` fails to recognize backslashes (`\\`) as directory separators on non-Windows platforms (Mac/Linux). An attacker can provide a path like `x\\..\\..\\..\\package.json`, which bypasses the validation check but is subsequently treated as a traversal path during file I/O operations by the underlying `fs` modules and path normalization utilities.\n\nIncriminated code areas:\n- [packages/@tinacms/graphql/src/database/bridge/filesystem.ts](tinacms/packages/@tinacms/graphql/src/database/bridge/filesystem.ts): [assertWithinBase](tinacms/graphql/src/database/bridge/filesystem.ts#7-35) function.\n- [packages/@tinacms/graphql/src/resolver/index.ts](tinacms/packages/@tinacms/graphql/src/resolver/index.ts): `getValidatedPath` function.\n\n### PoC\n1. Start the TinaCMS development server.\n2. Send a malicious GraphQL mutation to overwrite a project file (e.g., [package.json](tinacms/examples/tina-self-hosted-demo/package.json)):\n\n```bash\ncurl -X POST http://localhost:4001/graphql \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"query\": \"mutation { updateDocument(collection: \\\"global\\\", relativePath: \\\"x\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\package.json\\\", params: { global: { header: { name: \\\"OVERWRITTEN\\\" } } }) { __typename } }\"}'\n```\n\n3. Observe that the root [package.json](tinacms/examples/tina-self-hosted-demo/package.json) has been replaced with the provided payload.\n\n<img width=\"1424\" height=\"516\" alt=\"2026-03-15_12-24-05 PM\" src=\"https://github.com/user-attachments/assets/9fdf94ce-2183-4a24-9cd9-48f21deb9768\" />\n\n<img width=\"1387\" height=\"774\" alt=\"2026-03-15_12-27-33 PM\" src=\"https://github.com/user-attachments/assets/676f083b-f934-4cf2-978b-bb2fabee0216\" />\n\n### Impact\nThis is an **Arbitrary File Write** vulnerability. Any unauthenticated user with network access to the GraphQL API can:\n- Overwrite critical server configuration files (e.g., [package.json](tinacms/examples/tina-self-hosted-demo/package.json), [tsconfig.json](tinacms/examples/tina-self-hosted-demo/tsconfig.json)).\n- Host malicious scripts in the `public/` directory for client-side attacks.\n- Perform **Arbitrary Code Execution** by modifying build scripts or server-side logic files that are subsequently executed by the environment.\n\n\n\n**Weaknesses:**\n- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\n- **CWE-73**: External Control of File Name or Path","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33949","reference_id":"","reference_type":"","scores":[{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47827","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47811","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00243","scoring_system":"epss","scoring_elements":"0.47829","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51902","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51882","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33949"},{"reference_url":"https://github.com/tinacms/tinacms","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinacms/tinacms"},{"reference_url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:44:36Z/"}],"url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33949","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33949"},{"reference_url":"https://github.com/advisories/GHSA-v9p7-gf3q-h779","reference_id":"GHSA-v9p7-gf3q-h779","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v9p7-gf3q-h779"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111322?format=json","purl":"pkg:npm/%40tinacms/graphql@2.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.2.2"}],"aliases":["CVE-2026-33949","GHSA-v9p7-gf3q-h779"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uxsf-y8p8-1fcf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90080?format=json","vulnerability_id":"VCID-yujv-ty5w-fkhm","summary":"@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions\n## Summary\n\n`@tinacms/graphql` uses string-based path containment checks in `FilesystemBridge`:\n\n- `path.resolve(path.join(baseDir, filepath))`\n- `startsWith(resolvedBase + path.sep)`\n\nThat blocks plain `../` traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like `content/posts/pivot/owned.md` is still considered \"inside\" the base even though the real filesystem target can be outside it.\n\nAs a result, `FilesystemBridge.get()`, `put()`, `delete()`, and `glob()` can operate on files outside the intended root.\n\n## Details\n\nThe current bridge validation is:\n\n```ts\nfunction assertWithinBase(filepath: string, baseDir: string): string {\n  const resolvedBase = path.resolve(baseDir);\n  const resolved = path.resolve(path.join(baseDir, filepath));\n  if (\n    resolved !== resolvedBase &&\n    !resolved.startsWith(resolvedBase + path.sep)\n  ) {\n    throw new Error(\n      `Path traversal detected: \"${filepath}\" escapes the base directory`\n    );\n  }\n  return resolved;\n}\n```\n\nBut the bridge then performs real filesystem I/O on the resulting path:\n\n```ts\npublic async get(filepath: string) {\n  const resolved = assertWithinBase(filepath, this.outputPath);\n  return (await fs.readFile(resolved)).toString();\n}\n\npublic async put(filepath: string, data: string, basePathOverride?: string) {\n  const basePath = basePathOverride || this.outputPath;\n  const resolved = assertWithinBase(filepath, basePath);\n  await fs.outputFile(resolved, data);\n}\n\npublic async delete(filepath: string) {\n  const resolved = assertWithinBase(filepath, this.outputPath);\n  await fs.remove(resolved);\n}\n```\n\nThis is a classic realpath gap:\n\n1. validation checks the lexical path string\n2. the filesystem follows the link target during I/O\n3. the actual target can be outside the intended root\n\nThis is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled `relativePath`, but that validation is also string-based:\n\n```ts\nconst realPath = path.join(collection.path, relativePath);\nthis.validatePath(realPath, collection, relativePath);\n```\n\nDatabase write and delete operations then call the bridge:\n\n```ts\nawait this.bridge.put(normalizedPath, stringifiedFile);\n...\nawait this.bridge.delete(normalizedPath);\n```\n\n## Local Reproduction\n\nThis was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.\n\nTest layout:\n\n- content root: `D:\\bugcrowd\\tinacms\\temp\\junction-repro4`\n- allowed collection path: `content/posts`\n- junction inside collection: `content/posts/pivot -> D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\outside`\n- file outside content root: `outside\\secret.txt`\n\nTina's current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.\n\nObserved result:\n\n```json\n{\n  \"graphqlBridge\": {\n    \"collectionPath\": \"content/posts\",\n    \"requestedRelativePath\": \"pivot/owned.md\",\n    \"validatedRealPath\": \"content\\\\posts\\\\pivot\\\\owned.md\",\n    \"bridgeResolvedPath\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\content\\\\posts\\\\pivot\\\\owned.md\",\n    \"bridgeRead\": \"TOP_SECRET_FROM_OUTSIDE\\\\r\\\\n\",\n    \"outsideGraphqlWriteExists\": true,\n    \"outsideGraphqlWriteContents\": \"GRAPHQL_ESCAPE\"\n  }\n}\n```\n\nThat is the critical point:\n\n- the path was accepted as inside `content/posts`\n- the bridge read `outside\\secret.txt`\n- the bridge wrote `outside\\owned.md`\n\nSo the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.\n\n## Impact\n\n- **Arbitrary file read/write outside the configured content root**\n- **Potential delete outside the configured content root** via the same `assertWithinBase()` gap in `delete()`\n- **Breaks the assumptions of the recent path-traversal fixes** because only lexical traversal is blocked\n- **Practical attack chains** where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations\n\nThe exact network exploitability depends on how the application exposes Tina's GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.\n\n## Recommended Fix\n\nThe containment check needs to compare canonical filesystem paths, not just string-normalized paths.\n\nFor example:\n\n1. resolve the base with `fs.realpath()`\n2. resolve the candidate path's parent with `fs.realpath()`\n3. reject any request whose real target path escapes the real base\n4. for write operations, carefully canonicalize the nearest existing parent directory before creating the final file\n\nIn short: use realpath-aware containment checks for every filesystem sink, not `path.resolve(...).startsWith(...)` alone.\n\n## Resources\n\n- `packages/@tinacms/graphql/src/database/bridge/filesystem.ts`\n- `packages/@tinacms/graphql/src/database/index.ts`\n- `packages/@tinacms/graphql/src/resolver/index.ts`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34604","reference_id":"","reference_type":"","scores":[{"value":"0.00089","scoring_system":"epss","scoring_elements":"0.2539","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00089","scoring_system":"epss","scoring_elements":"0.25438","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00089","scoring_system":"epss","scoring_elements":"0.25452","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27778","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27772","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34604"},{"reference_url":"https://github.com/tinacms/tinacms","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinacms/tinacms"},{"reference_url":"https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:59:42Z/"}],"url":"https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"},{"reference_url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:59:42Z/"}],"url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34604","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34604"},{"reference_url":"https://github.com/advisories/GHSA-g9c2-gf25-3x67","reference_id":"GHSA-g9c2-gf25-3x67","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g9c2-gf25-3x67"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111322?format=json","purl":"pkg:npm/%40tinacms/graphql@2.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.2.2"}],"aliases":["CVE-2026-34604","GHSA-g9c2-gf25-3x67"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yujv-ty5w-fkhm"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@0.0.0-d9ccf29-20251222052725"}