@google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script
- Severity:
- High
Description
Allows an attacker to perform a “Path Traversal” attack to modify files outside the projects directory, potentially allowing for running attacker code on the developer’s machine.
Recommendation
Update the @google/clasp package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.2.0
- Patched version(s): 3.2.0
References
Related Issues
- Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory - CVE-2026-30848
- Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606
- nanotar is vulnerable to path traversal in parseTar() and parseTarGzip() - CVE-2025-69874
- ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction - CVE-2026-32731
- Tags:
- npm
- @google/clasp
Anything's wrong? Let us know Last updated on March 16, 2026