Plattform
nodejs
Komponente
@google/clasp
Behoben in
3.2.1
3.2.0
CVE-2026-4092 is a Path Traversal vulnerability discovered in the @google/clasp library, a command-line tool for developing Google Apps Script projects. This vulnerability allows attackers to potentially modify files outside the intended project directory, leading to code execution on the developer's machine. The vulnerability affects versions prior to 3.2.0, and a fix has been released in version 3.2.0.
The core impact of CVE-2026-4092 lies in its ability to allow an attacker to traverse directories and modify files beyond the scope of the intended project. This can be exploited by an attacker who can influence the source code or configuration files used by the clasp tool. A successful exploit could allow an attacker to inject malicious code, such as scripts or executables, into the developer's environment. This could lead to unauthorized access, data theft, or even complete system compromise. The potential for code execution makes this a particularly concerning vulnerability, as it bypasses typical sandboxing or security controls.
CVE-2026-4092 was publicly disclosed on 2026-03-13. Currently, there are no publicly known exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation, but the potential for code execution suggests a medium to high probability of exploitation if a suitable exploit is developed. Monitor security advisories and threat intelligence feeds for any updates.
Developers using @google/clasp to develop Google Apps Script projects are at risk, particularly those who frequently clone or pull scripts from external sources or use older, unpatched versions of the library. Shared hosting environments where multiple developers use the same @google/clasp installation are also at increased risk.
• nodejs / clasp:
find / -name clasp.cmd -o -name clasp.sh -print0 | xargs -0 grep -i 'pull|clone' • nodejs / clasp: Check for unusual files or modifications within the Google Apps Script project directories after a pull or clone operation.
• nodejs / clasp: Review the output of npm audit for vulnerabilities in dependencies used by the project.
disclosure
Exploit-Status
EPSS
1.03% (77% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-4092 is to upgrade to version 3.2.0 or later of the @google/clasp library. If upgrading is not immediately feasible, a temporary workaround is to meticulously review the output of the pull and clone commands. Carefully examine the files being modified to ensure they are only those expected within the project directory. Only clone or pull scripts from trusted sources to minimize the risk of malicious code injection. Consider implementing stricter access controls and code review processes to further reduce the attack surface.
Aktualisieren Sie Clasp auf Version 3.2.0 oder höher. Diese Version behebt die Path-Traversal-Schwachstelle, die die Remote-Codeausführung ermöglicht. Sie können Clasp mit dem Befehl `npm install -g @google/clasp` über den Paketmanager npm aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4092 is a Path Traversal vulnerability in @google/clasp versions before 3.2.0, allowing attackers to modify files outside the project directory.
You are affected if you are using @google/clasp versions prior to 3.2.0 and clone or pull scripts from untrusted sources.
Upgrade to @google/clasp version 3.2.0 or later. As a temporary workaround, carefully review files modified by pull and clone commands.
There is currently no indication of active exploitation in the wild or public proof-of-concept code.
Refer to the @google/clasp release notes and security advisories on the Google Developers website for details.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.