@google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script
- Severity:
- High
Description
Allows an attacker to perform a “Path Traversal” attack to modify files outside the projects directory, potentially allowing for running attacker code on the developer’s machine.
Recommendation
Update the @google/clasp package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.2.0
- Patched version(s): 3.2.0
References
Related Issues
- Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling - CVE-2026-39365
- Electerm runWidget has a path traversal that leads to arbitrary code execution - CVE-2026-43940
- PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart - CVE-2026-41180
- i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters - CVE-2026-42353
You might also like:
- Tags:
- npm
- @google/clasp
Anything's wrong? Let us know Last updated on March 16, 2026