CVE-2025-6283 Overview
CVE-2025-6283 is a path traversal vulnerability [CWE-22] in the xataio Xata Agent up to version 0.3.0. The flaw resides in the GET handler of apps/dbagent/src/app/api/evals/route.ts, where an attacker-controlled argument is used to construct a file path without proper sanitization. An adjacent-network attacker with low privileges can manipulate the path argument to read files outside the intended evaluation directory. The issue has been patched in version 0.3.1 via commit 03f27055e0cf5d4fa7e874d34ce8c74c7b9086cc.
Critical Impact
Authenticated attackers on adjacent networks can traverse the file system through the evaluations API endpoint, potentially exposing sensitive configuration or application files served by the Xata Agent.
Affected Products
- xataio Xata Agent versions up to and including 0.3.0
- The apps/dbagent/src/app/api/evals/route.ts API route
- Deployments exposing the Xata Agent evaluations endpoint to adjacent networks
Discovery Timeline
- 2025-06-19 - CVE-2025-6283 published to NVD
- 2025-09-30 - Last updated in NVD database
Technical Details for CVE-2025-6283
Vulnerability Analysis
The Xata Agent exposes a Next.js API route at apps/dbagent/src/app/api/evals/route.ts that serves evaluation artifacts. The GET handler accepts a user-supplied argument and uses it to locate a file on disk. Because the input is not normalized or constrained to a base directory, attackers can supply sequences such as ../ to escape the intended folder. This permits arbitrary file reads within the privileges of the agent process.
The vulnerability falls under classic path traversal [CWE-22]. Exploitation requires authenticated access from an adjacent network and does not require user interaction. While the scope of the impact is limited to confidentiality, leaked files may include environment variables, database credentials, or other secrets used by the agent.
Root Cause
The root cause is missing canonicalization and base-directory validation on the file path argument processed by the GET route. The route concatenates the user input with a directory prefix and reads the resulting path directly. There is no enforcement that the resolved path remains within the configured evaluation folder.
Attack Vector
An authenticated user on the same adjacent network as the Xata Agent sends a crafted GET request to the /api/evals endpoint. The request includes a path argument with directory traversal sequences. The server resolves the path and returns the contents of files outside the evaluations directory.
# Patch excerpt — apps/dbagent/.env.eval.example
# Eval variables
JUDGE_MODEL="openai:gpt-4o"
CHAT_MODEL="anthropic:claude-3-5-haiku"
+EVAL_FOLDER="/my/folder"
# Patch excerpt — apps/dbagent/.env.example
GOOGLE_GENERATIVE_AI_API_KEY=
EVAL=true
-
+EVAL_FOLDER="/my/folder"
Source: GitHub commit 03f27055. The fix introduces an EVAL_FOLDER configuration variable that constrains the evaluation route to a defined base directory, allowing the application to validate that resolved paths remain inside that folder.
Detection Methods for CVE-2025-6283
Indicators of Compromise
- HTTP GET requests to /api/evals containing ../, ..%2f, or URL-encoded traversal sequences in query parameters
- Access log entries showing reads of files outside the configured evaluation directory
- Unexpected file access by the Xata Agent process to paths such as /etc/, ~/.env, or application source files
Detection Strategies
- Inspect web server and application logs for query strings containing directory traversal patterns directed at the evaluations endpoint
- Compare deployed Xata Agent versions against 0.3.1 to identify vulnerable instances
- Add web application firewall rules that block traversal sequences on paths matching /api/evals*
Monitoring Recommendations
- Enable file access auditing on the host running the Xata Agent to flag reads outside the EVAL_FOLDER path
- Monitor outbound responses from the agent for unusual file content sizes or types served by /api/evals
- Alert on authenticated sessions issuing repeated GET requests to evaluation endpoints with varying path parameters
How to Mitigate CVE-2025-6283
Immediate Actions Required
- Upgrade the Xata Agent to version 0.3.1 or later, which contains commit 03f27055e0cf5d4fa7e874d34ce8c74c7b9086cc
- Restrict network access to the Xata Agent so the evaluations API is not reachable from untrusted adjacent networks
- Rotate any credentials or API keys that may have been exposed through agent-readable files
Patch Information
The fix is included in Xata Agent v0.3.1. The patch is tracked in pull request #191 and issue #179. It introduces an explicit EVAL_FOLDER configuration variable that constrains evaluation file lookups to a defined base directory.
Workarounds
- Block external and adjacent-network access to the /api/evals route at a reverse proxy or ingress controller until the upgrade is applied
- Run the Xata Agent under a least-privileged user account that cannot read sensitive system files or secrets outside the evaluation directory
- Apply web application firewall rules that reject requests containing .. or URL-encoded traversal patterns on the evaluations endpoint
# Example: set the evaluation folder after upgrading to v0.3.1
export EVAL=true
export EVAL_FOLDER="/var/lib/xata-agent/evals"
# Restart the agent so the new configuration takes effect
systemctl restart xata-agent
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
