GHSA-q9m2-fhv9-3jcf
MEDIUM`potato-annotation` has a Project-Boundary Bypass
Blast Radius
potato-annotationReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Summary
validate_path_security uses string-prefix containment (startswith) for boundary checks. This allows paths that are outside the intended project directory but share its prefix string (e.g., /tmp/potato_proj_demo_evil/... vs /tmp/potato_proj_demo) to be accepted.
Details
Affected source location (root cause)
File: potato/server_utils/config_module.py
Snippet (lines 370–373):
real_path = os.path.realpath(normalized_path)
real_base = os.path.realpath(base_dir)
if not real_path.startswith(real_base):
raise ConfigSecurityError(...)
Snippet (lines 384–389):
real_path = os.path.realpath(normalized_path)
check_dir = project_dir if project_dir else base_dir
real_check_dir = os.path.realpath(check_dir)
if not real_path.startswith(real_check_dir):
raise ConfigSecurityError(...)
startswith() is string-based, so /tmp/potato_proj_demo_evil/... passes when checked against /tmp/potato_proj_demo.
Confirmed affected call sites
File: potato/server_utils/config_module.py
validate_file_pathstask_dir branch (line 2113)
validated_task_dir = validate_path_security(task_dir, project_dir)
validate_file_pathsdata_files branch (line 2151)
validated_path = validate_path_security(file_path, base_dir, project_dir)
validate_training_configtraining.data_file branch (line 2286)
validated_path = validate_path_security(data_file, base_dir, project_dir)
PoC
from potato.server_utils.config_module import validate_path_security
base = '/tmp/potato_proj_demo'
vuln = '/tmp/potato_proj_demo_evil/file.txt'
try:
print('inside=', validate_path_security('/tmp/potato_proj_demo/file.txt', base, base))
except Exception as e:
print('inside_error=', type(e).__name__, e)
try:
validate_path_security('/tmp/other_demo/file.txt', base, base)
except Exception as e:
print('baseline=', type(e).__name__, e)
print('trigger=', validate_path_security(vuln, base, base))
Impact
- Can allow unauthorized sibling-prefix file access outside intended project boundary.
- Can affect read paths (
data_files,training.data_file,base_css,header_logo) and output/path placement depending on configuration.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | potato-annotation | ≥ 2.0.0&&< 2.4.5 | 2.4.5 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for potato-annotation. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update potato-annotation to 2.4.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-q9m2-fhv9-3jcf is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-q9m2-fhv9-3jcf is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-q9m2-fhv9-3jcf. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-q9m2-fhv9-3jcf in your dependencies?
O3 detects GHSA-q9m2-fhv9-3jcf across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.