This vulnerability has been fixed in https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00.
The save_generated_slides MCP tool accepts a pptx_path argument and writes the generated PPTX file to that path without any workspace restriction or path validation:
# pptagent/mcp_server.py:288-300
async def save_generated_slides(pptx_path: str):
"""Save the generated slides to a PowerPoint file.
Args:
pptx_path: The path to save the PowerPoint file
"""
pptx = Path(pptx_path)
assert len(self.slides), (
"No slides generated, please call `generate_slide` first"
)
pptx.parent.mkdir(parents=True, exist_ok=True) # ← creates arbitrary directories
self.empty_prs.save(pptx_path) # ← writes to arbitrary path
The call to pptx.parent.mkdir(parents=True, exist_ok=True) creates any intermediate directories, and self.empty_prs.save(pptx_path) writes a valid PPTX binary (ZIP archive) to the specified path. No isrelativeto(workspace) check is performed — contrast with download_file in deeppresenter/tools/search.py:290, which correctly enforces workspace confinement.
The server changes directory to WORKSPACE (if set) on startup, so relative paths land in the workspace. Absolute paths, however, reach any filesystem location accessible to the server process.
The concrete attack scenarios include
pptx_path = "/etc/cron.d/backdoor" → writes a PPTX ZIP to a path the cron daemon reads; if the ZIP header is misinterpreted, this may corrupt cron or be exploitable depending on parser behaviour.pptx_path = "/home/user/.bashrc" → overwrites shell init file with a binary blob containing arbitrary content in the PPTX's embedded comments/custom properties.pptx_path = "../../.ssh/known_hosts.pptx" → escapes workspace entirely.pptx_path = "/dev/sda" writes to a raw device.The potential fix is something like:
async def save_generated_slides(pptx_path: str):
workspace = Path(os.getcwd()).resolve()
target = Path(pptx_path).resolve()
if not target.is_relative_to(workspace):
raise ValueError(f"Access denied: path outside workspace: {target}")
target.parent.mkdir(parents=True, exist_ok=True)
self.empty_prs.save(str(target))