docx
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): Path Traversal (ZipSlip) vulnerability in multiple files. * Evidence: In
ooxml/scripts/unpack.py, the commandzipfile.ZipFile(input_file).extractall(output_path)is used on user-provided Office files. Similarly,ooxml/scripts/validation/docx.pyuseszip_ref.extractall(temp_dir). * Risk: A maliciously crafted.docxor.pptxfile containing filenames with../sequences can overwrite sensitive files outside the intended directory, potentially leading to command execution (e.g., by overwriting shell profiles). - [DATA_EXFILTRATION] (HIGH): Insecure XML parsing using
lxmlon untrusted content. * Evidence:ooxml/scripts/validation/docx.pyuseslxml.etree.parse(str(xml_file))to process XML files extracted from user-provided documents. * Risk:lxmlis vulnerable to XML External Entity (XXE) attacks. Whiledefusedxmlis used elsewhere, its omission in the validation logic allows an attacker to use malicious XML within a document to read local files or perform SSRF. - [COMMAND_EXECUTION] (MEDIUM): Execution of external binaries via subprocess. * Evidence:
ooxml/scripts/pack.pyexecutessofficeusingsubprocess.run. * Risk: While the arguments are largely constrained, invoking complex office suites on attacker-controlled files increases the attack surface to include any vulnerabilities within the office suite's conversion engine. - [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection Surface (Category 8). * Ingestion points:
unpack.pyandvalidate.pyprocess external Office files. * Boundary markers: None. * Capability inventory: Arbitrary file write (zipfile), command execution (soffice), and file system access. * Sanitization: Inadequate protection against path traversal in zip archives and XXE in XML parsing.
Recommendations
- AI detected serious security threats
Audit Metadata