AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2025-61685: Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vuln

mediumvulnerability

security

Source: NVD/CVE DatabaseOctober 3, 2025CVE-2025-61685

Summary

Mastra (a TypeScript framework for building AI agents and assistants) versions 0.13.8 through 0.13.20-alpha.0 have a directory traversal vulnerability, which means an attacker can bypass security checks to list files and folders in any directory on a user's computer, potentially exposing sensitive information. The flaw exists because while the code tries to prevent path traversal (unauthorized access to files through manipulated file paths) for reading files, a separate part of the code that suggests directories can be exploited to work around this protection.

Solution / Mitigation

This issue is fixed in version 0.13.20.

Vulnerability Details

CVSS Score

6.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.4%

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

confidentiality

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-548

Affected Vendors

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

critical

CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi

First tracked: February 15, 2026 at 08:53 PM

Classified by LLM (prompt v3) · confidence: 95%