Clasp, the command‑line tool for managing Google Apps Scripts, contains a path‑traversal flaw that allows an attacker to write or overwrite arbitrary files on the machine where Clasp runs. By crafting a project that includes file names with directory‑traversal sequences such as "../", a malicious user can create or modify files outside the intended project directory, potentially executing arbitrary code. The weakness is classified as CWE‑22, improper validation of file paths.

All installations of Google Clasp older than version 3.2.0 are affected. The vulnerability is present regardless of the operating system, as Clasp can run on Windows, macOS, or Linux. Any user who installs a vulnerable version and imports or runs projects from untrusted sources is at risk.

The CVSS score of 8.7 places this flaw in the high‑risk category, while an EPSS score of 1 % indicates that widespread exploitation is currently unlikely. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the attack vector involves supplying a malicious Google Apps Script project that contains specially crafted file names with directory‑traversal sequences. Exploitation requires that an attacker supply such a project; therefore the attack surface is limited to users who import untrusted projects. Until a patch is applied, the potential for remote code execution remains.