Technical description
Spring AI's support for Anthropic's Skills API passes LLM-generated filenames directly to Path.resolve before writing files to disk without sanitisation. A malicious user who can influence the LLM's output (e.g., through a crafted prompt or indirect prompt injection) can cause the application to write files outside the intended target directory, including restricted system directories. This is a direct example of 'LLM output is application input' — model-generated content propagating into filesystem operations without validation.
Attack vector
Attacker influences the LLM's file-naming output (through direct or indirect prompt injection in an agentic workflow) to include path traversal tokens (e.g., '../../etc/'). Spring AI passes the unsanitised LLM-derived filename to Path.resolve, which resolves the traversal, and the file is written to the attacker's desired location before any path validation occurs.
Affected systems
Spring AI versions 1.1.0 through 1.1.x. Specifically affects deployments using the Anthropic Skills API support feature that includes file write operations. Spring AI is widely used in Java enterprise agentic workflow implementations.
Mitigation
Upgrade to Spring AI 1.1.7 immediately. As a defence-in-depth measure, enforce canonical path validation on all LLM-derived filenames, constrain file write roots to explicitly allowlisted directories, treat all model-generated paths as untrusted input, and audit any AI workflow where model output controls filesystem paths, tool arguments, or API parameters.