[Security tracking] Arbitrary File Read via Unsanitized `MEDIA:` Tag Path in Gateway Media Extraction (GHSA-jmf9-9729-7pp8)

[YLChen-007]

This issue tracks a private GitHub Security Advisory that is currently in triage.

• Advisory: GHSA-jmf9-9729-7pp8
• Status: triage
• Summary: Arbitrary File Read via Unsanitized MEDIA: Tag Path in Gateway Media Extraction
• Advisory updated: 2026-05-07T11:16:54Z

Technical details, proof-of-concept material, affected code paths, and exploitability notes are intentionally omitted from this public issue while the advisory remains under triage. Please coordinate remediation and disclosure in the private Security Advisory thread.

[alt-glitch]

Related: #4686, #10026, #12850, #16547 (all open PRs fixing the same MEDIA tag path traversal pattern). This security advisory tracks the same vulnerability class.

[teknium1]

Closed by merge of PR #30432 (commit 41d2c75, credit @egilewski).

The fix adds validate_media_delivery_path() in gateway/platforms/base.py and applies it at every MEDIA: delivery site (gateway, weixin adapter, cron scheduler, send_message tool, yuanbao). Only files under the standard Hermes media cache roots are allowed, with symlinks resolved before the containment check. Operators can extend the allowed roots via HERMES_MEDIA_ALLOW_DIRS.

E2E verified: every advisory PoC string blocked, legitimate cache paths still flow through, symlink escape from cache blocked. Advisory GHSA-jmf9-9729-7pp8 closed. Superseded earlier MEDIA-traversal PRs (#4686, #10026, #12850, #16547) — credit also to those reporters for surfacing the class.