Microsoft’s Natural Language Web (NLWeb) project has been found vulnerable to a path traversal attack, allowing AI agents to manipulate file paths and potentially access sensitive data. The vulnerability was discovered by security researcher Aonan Guan, who reported it on May 28th.
Guan’s investigation revealed that the NLWeb framework failed to properly sanitize user input and validate file paths. When an attacker manipulates the file path using ../ sequences, the server can return files outside of its designated web root, exposing sensitive data. In one instance, Guan was able to access the contents of /etc/passwd, a user account database on UNIX systems like Linux and macOS.
The vulnerability also allowed Guan to access files within the app’s source code, including a project’s .env file, which contains secrets like API keys. Microsoft acknowledged the report and issued a fix two days later. The patch checks for basic directory traversal attempts and verifies that requested files end with approved extensions before resolving their absolute paths.
Guan warns that this vulnerability highlights the risks of interpreting natural language from users in the context of an agentic web, where AI agents handle complex tasks by interacting directly with online services. If not handled with extreme care, such interactions could translate into malicious file paths or system commands. Security experts recommend updating NLWeb instances immediately to mitigate this risk.
The incident serves as a reminder that even well-intentioned projects like NLWeb can introduce new attack surfaces if not properly secured. As the agentic web continues to evolve, it is essential to prioritize security and ensure that AI systems are designed with robust safeguards against manipulation and exploitation.
Source: https://www.neowin.net/news/researcher-exposes-microsofts-flawed-code-that-lets-attackers-access-files-on-your-computer