ByteDance DeerFlow contains a path traversal vulnerability in bootstrap‑mode custom‑agent creation. When creating an agent, the agent name is used without proper validation, allowing attackers to supply traversal sequences or absolute paths. This causes the application to create directories and write files outside the intended custom‑agent directory. Depending on the file type and the underlying filesystem permissions, the attacker could overwrite configuration files, place malicious binaries, or otherwise tamper with system state, potentially leading to arbitrary code execution or other privilege escalation.

ByteDance DeerFlow before commit 2176b2b of the source repository is affected. The vulnerability applies to any deployment that uses the bootstrap‑mode custom‑agent creation before the code change that enforces proper validation.

The CVSS score of 7.1 classifies the issue as a Medium severity vulnerability. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is via bootstrap‑mode access, which may be provided through a web API or management interface; exploitation requires the attacker to have the ability to submit agent creation requests. If the underlying file system permissions grant write access to the attacker’s user, the vulnerability could be used to modify or create arbitrary files, potentially enabling further attacks such as privilege escalation or remote code execution.