CVE-2026-25592
Arbitrary File Write in Semantic Kernel SessionsPythonPlugin SDK
Publication date: 2026-02-06
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | semantic_kernel | 1.70.0 |
| microsoft | semantic_kernel.core | to 1.70.0 (exc) |
| microsoft | semantic_kernel | to 1.39.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25592 is a critical Arbitrary File Write vulnerability found in Microsoft's Semantic Kernel .NET SDK, specifically in the SessionsPythonPlugin component. The vulnerability occurs because the software improperly handles pathname inputs, allowing attackers to perform path traversal attacks. This means an attacker can write files outside of the intended restricted directories by manipulating file path inputs."}, {'type': 'paragraph', 'content': 'The issue affects versions prior to Microsoft.SemanticKernel.Core 1.70.0 and semantic-kernel pip package versions prior to 1.39.3. It has been fixed in these versions by adding security controls that validate and restrict file upload and download paths.'}, {'type': 'paragraph', 'content': 'As a mitigation, users can create a Function Invocation Filter to check and allow-list the localFilePath arguments passed to DownloadFileAsync or UploadFileAsync calls to prevent exploitation.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an attacker with low privileges and no user interaction to remotely write arbitrary files on the affected system. This can lead to severe impacts on confidentiality, integrity, and availability of the system.
- Confidentiality: Sensitive data could be exposed or overwritten.
- Integrity: Critical files could be modified or replaced, potentially leading to system compromise.
- Availability: Malicious files could disrupt system operations or cause denial of service.
The vulnerability has a high CVSS score (9.9 or 10.0 depending on source), indicating it is highly exploitable and impactful.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves improper handling of file path inputs in the SessionsPythonPlugin component of Microsoft's Semantic Kernel .NET SDK, allowing arbitrary file writes via the DownloadFileAsync or UploadFileAsync methods."}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring or auditing calls to these methods, especially looking for unusual or unexpected file paths that attempt directory traversal or write outside allowed directories.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in the SDK code, detection on a network or system level might involve:'}, {'type': 'list_item', 'content': 'Reviewing logs or traces of the Semantic Kernel sessions for calls to DownloadFileAsync or UploadFileAsync with suspicious localFilePath arguments.'}, {'type': 'list_item', 'content': 'Checking for presence of versions prior to 1.70.0 of Microsoft.SemanticKernel.Core or prior to 1.39.3 of the semantic-kernel pip package.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the resources, but general approaches could include:'}, {'type': 'list_item', 'content': 'Using file system monitoring tools to detect unexpected file writes outside of expected directories.'}, {'type': 'list_item', 'content': 'Auditing application logs for calls to vulnerable methods with suspicious parameters.'}, {'type': 'list_item', 'content': 'Checking installed package versions with commands like `dotnet list package` for .NET projects or `pip show semantic-kernel` for Python environments.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade to the fixed versions: Microsoft.SemanticKernel.Core version 1.70.0 or later, or semantic-kernel pip package version 1.39.3 or later.
If immediate upgrade is not possible, implement a Function Invocation Filter that validates and allow-lists the localFilePath arguments passed to DownloadFileAsync or UploadFileAsync calls to ensure only safe, allowed directories are used.
Additionally, configure the SessionsPythonPlugin settings as follows:
- Set `EnableDangerousFileUploads` to false (default) to disable file uploads unless explicitly needed.
- Define `AllowedUploadDirectories` and `AllowedDownloadDirectories` to restrict file operations to safe directories.
These controls prevent unauthorized file writes and directory traversal attacks by enforcing strict path validation and limiting file operations to approved locations.