Microsoft APM enables community‑driven dependency management for AI agents. Prior to version 0.13.0 it contained a Windows‑specific boundary failure during legacy‑bundle probing. When the install command receives a local .tar.gz that is not recognized as a plugin‑bundle, the legacy probe extracts all tar members with raw tar.extractall() and does not reject absolute Windows member names such as D:/… . The result is that an attacker can supply a crafted archive and overwrite any files for which the user executing apm install has write permission. This can lead to tampering with configuration files, executable binaries, or other critical assets, providing a local file overwrite vector that may allow privilege escalation or persistence.

The finding applies to Microsoft APM versions prior to 0.13.0 on Windows systems that use Python 3.10 or 3.11. The vulnerability is triggered only when apm install is run against an unrecognized .tar.gz file and the runtime is older than Python 3.12. Users operating on those environments are affected unless they have already upgraded to the fixed release. No other operating systems or Python versions are mentioned as impacted.

The CVSS score is 5.5, indicating a moderate severity. The EPSS score is not available, so the concrete exploitation probability cannot be quantified from the current data. The issue is not listed in CISA’s KEV catalog. The attack vector is inferred to be local, because the vulnerability is exercised during a local install operation and depends on the user supplying a malicious archive. Distributed or remote exploitation would require an attacker to obtain local execution of apm or to deliver a malicious bundle to a mechanism that automatically installs bundles. Without additional information, the risk is considered moderate for users who run apm install on potentially untrusted archives.