Skip to content

Jovancoding/Network-AI

v5.10.2 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 4d MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

agent-framework agent-orchestration ai-agents autogen blackboard blackboard-architecture
+14 more
crewai hermes hermes-agent langchain llm mcp multi-agent nemoclaw nodejs openclaw orchestration rlm typescript workflow-engine

ReleasePort's take

Moderate signal
editorial:auto 4d

Release v5.10.2 patches the CWE‑377 insecure temporary file vulnerability in est‑claim‑verifier.ts by using local data directory paths instead of tmpdir.

Why it matters: Fixes a high‑severity (90) temporary file vulnerability affecting est‑claim-verifier.ts join calls; upgrade to v5.10.2 to eliminate the risk.

Summary

AI summary

Fixes CodeQL CWE-377 insecure temporary file vulnerability by replacing tmpdir-based paths with local data directory paths.

Changes in this release

Security Critical

Fixes CWE-377 insecure temporary file vulnerability in est-claim-verifier.ts.

Fixes CWE-377 insecure temporary file vulnerability in est-claim-verifier.ts.

Source: llm_adapter@2026-06-08

Confidence: high
Full changelog

Security Patch Release

v5.10.2 resolves CodeQL alert #174 (CWE-377 Insecure Temporary File).

CodeQL #174 — CWE-377 Root Cause Fix ( est-claim-verifier.ts)

The v5.10.1 fix applied path.resolve() in the AuthGuardian constructor, but this does not satisfy CodeQL's taint analysis — the taint chain from os.tmpdir() through
esolve() into writeFile() remains intact.

The actual taint sources were the join(tmpdir(), ...) calls in est-claim-verifier.ts. All 10 occurrences have been replaced with join('.', 'data', ...) paths, eliminating the CWE-377 source entirely. AuthGuardian constructor retains path.resolve() for defense-in-depth.

50/50 claim verifier tests still pass.

Full changelog

See CHANGELOG.md.

Security Fixes

  • CVE-2024-XXXXX — CWE-377 Insecure Temporary File vulnerability fixed by replacing join(tmpdir(), ...) with join('.', 'data', ...) in est-claim-verifier.ts
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Jovancoding/Network-AI

Get notified when new releases ship.

Sign up free

About Jovancoding/Network-AI

Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.

All releases →

Related context

Beta — feedback welcome: [email protected]