Skip to content

Asset copying can write or delete files outside the workspace through "assets[].outDir" #3456

Closed
Closed
Asset copying can write or delete files outside the workspace through "assets[].outDir"#3456
Labels
bugneeds triage
@AdrianoCLeao

Description

@AdrianoCLeao
AdrianoCLeao
opened on Jun 5, 2026

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

This issue is very similar to #3454

The assets pipeline trusts "compilerOptions.assets[].outDir" and uses it directly to compute the
copy/delete destination.

Again, any attacker or uninformed developer can manipulate this and cause serious havoc in a codebase.

Minimum reproduction code

"outDir": "../nest-cli-assets-outside"

Steps to reproduce

  1. Create a disposable Nest project.
  2. Add "src/asset.txt".
  3. Add the "nest-cli.json" shown below.
  4. Run "nest build".
  5. Observe that the asset is copied to "../nest-cli-assets-outside", outside the project root.
  6. In watch mode, delete the source asset and observe that the computed destination is removed.
{
  "compilerOptions": {
    "assets": [
      {
        "include": "**/*.txt",
        "outDir": "../nest-cli-assets-outside"
      }
    ]
  }
}

Expected behavior

Asset copy and unlink operations should be confined to the project output directory or another
explicitly allowed directory. Relative parent traversal and absolute external paths should be rejected
by default.

Package version

11.0.21

NestJS version

Not application-specific.

Node.js version

22.20.0

In which operating systems have you tested?

  • macOS
  • Windows
  • Linux

Other

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugneeds triage

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions