Skip to main content
CVE Vulnerability Database

CVE-2025-6283: Xata Agent Path Traversal Vulnerability

CVE-2025-6283 is a path traversal vulnerability in Xata Agent up to version 0.3.0 that allows unauthorized file access. This article covers the technical details, affected versions, security impact, and mitigation steps.

Published:

CVE-2025-6283 Overview

CVE-2025-6283 is a path traversal vulnerability [CWE-22] in the xataio Xata Agent up to version 0.3.0. The flaw resides in the GET handler of apps/dbagent/src/app/api/evals/route.ts, where an attacker-controlled argument is used to construct a file path without proper sanitization. An adjacent-network attacker with low privileges can manipulate the path argument to read files outside the intended evaluation directory. The issue has been patched in version 0.3.1 via commit 03f27055e0cf5d4fa7e874d34ce8c74c7b9086cc.

Critical Impact

Authenticated attackers on adjacent networks can traverse the file system through the evaluations API endpoint, potentially exposing sensitive configuration or application files served by the Xata Agent.

Affected Products

  • xataio Xata Agent versions up to and including 0.3.0
  • The apps/dbagent/src/app/api/evals/route.ts API route
  • Deployments exposing the Xata Agent evaluations endpoint to adjacent networks

Discovery Timeline

  • 2025-06-19 - CVE-2025-6283 published to NVD
  • 2025-09-30 - Last updated in NVD database

Technical Details for CVE-2025-6283

Vulnerability Analysis

The Xata Agent exposes a Next.js API route at apps/dbagent/src/app/api/evals/route.ts that serves evaluation artifacts. The GET handler accepts a user-supplied argument and uses it to locate a file on disk. Because the input is not normalized or constrained to a base directory, attackers can supply sequences such as ../ to escape the intended folder. This permits arbitrary file reads within the privileges of the agent process.

The vulnerability falls under classic path traversal [CWE-22]. Exploitation requires authenticated access from an adjacent network and does not require user interaction. While the scope of the impact is limited to confidentiality, leaked files may include environment variables, database credentials, or other secrets used by the agent.

Root Cause

The root cause is missing canonicalization and base-directory validation on the file path argument processed by the GET route. The route concatenates the user input with a directory prefix and reads the resulting path directly. There is no enforcement that the resolved path remains within the configured evaluation folder.

Attack Vector

An authenticated user on the same adjacent network as the Xata Agent sends a crafted GET request to the /api/evals endpoint. The request includes a path argument with directory traversal sequences. The server resolves the path and returns the contents of files outside the evaluations directory.

text
# Patch excerpt — apps/dbagent/.env.eval.example
 # Eval variables
 JUDGE_MODEL="openai:gpt-4o"
 CHAT_MODEL="anthropic:claude-3-5-haiku"
+EVAL_FOLDER="/my/folder"
text
# Patch excerpt — apps/dbagent/.env.example
 GOOGLE_GENERATIVE_AI_API_KEY=

 EVAL=true
-
+EVAL_FOLDER="/my/folder"

Source: GitHub commit 03f27055. The fix introduces an EVAL_FOLDER configuration variable that constrains the evaluation route to a defined base directory, allowing the application to validate that resolved paths remain inside that folder.

Detection Methods for CVE-2025-6283

Indicators of Compromise

  • HTTP GET requests to /api/evals containing ../, ..%2f, or URL-encoded traversal sequences in query parameters
  • Access log entries showing reads of files outside the configured evaluation directory
  • Unexpected file access by the Xata Agent process to paths such as /etc/, ~/.env, or application source files

Detection Strategies

  • Inspect web server and application logs for query strings containing directory traversal patterns directed at the evaluations endpoint
  • Compare deployed Xata Agent versions against 0.3.1 to identify vulnerable instances
  • Add web application firewall rules that block traversal sequences on paths matching /api/evals*

Monitoring Recommendations

  • Enable file access auditing on the host running the Xata Agent to flag reads outside the EVAL_FOLDER path
  • Monitor outbound responses from the agent for unusual file content sizes or types served by /api/evals
  • Alert on authenticated sessions issuing repeated GET requests to evaluation endpoints with varying path parameters

How to Mitigate CVE-2025-6283

Immediate Actions Required

  • Upgrade the Xata Agent to version 0.3.1 or later, which contains commit 03f27055e0cf5d4fa7e874d34ce8c74c7b9086cc
  • Restrict network access to the Xata Agent so the evaluations API is not reachable from untrusted adjacent networks
  • Rotate any credentials or API keys that may have been exposed through agent-readable files

Patch Information

The fix is included in Xata Agent v0.3.1. The patch is tracked in pull request #191 and issue #179. It introduces an explicit EVAL_FOLDER configuration variable that constrains evaluation file lookups to a defined base directory.

Workarounds

  • Block external and adjacent-network access to the /api/evals route at a reverse proxy or ingress controller until the upgrade is applied
  • Run the Xata Agent under a least-privileged user account that cannot read sensitive system files or secrets outside the evaluation directory
  • Apply web application firewall rules that reject requests containing .. or URL-encoded traversal patterns on the evaluations endpoint
bash
# Example: set the evaluation folder after upgrading to v0.3.1
export EVAL=true
export EVAL_FOLDER="/var/lib/xata-agent/evals"

# Restart the agent so the new configuration takes effect
systemctl restart xata-agent

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.